Writing area security system

ABSTRACT

A writing area security system ( 10 ) includes a CPU ( 34 ), a flash memory ( 64 ), and a memory controller ( 62 ). The memory controller ( 62 ), when receiving a read command of data stored in the flash memory ( 64 ) from the CPU ( 34 ), performs a parity check on the data. The memory controller ( 62 ) outputs the data to the CPU ( 34 ) only when the parity of the read data is correct.

TECHNICAL FIELD

The present invention relates to a writing area security system. Morespecifically, the present invention relates to a writing area securitysystem for protecting a writing area from unauthorized use. Furthermore,the present invention relates to a memory controller and a securitymethod which are utilized in the writing area security system.

PRIOR ART

One example of an art of downloading data from a server to an IC card ofa portable terminal is disclosed in a Japanese Patent Laying-open No.2002-281181 (patent document 1) laid-open on Sep. 27, 2002. Morespecifically, in the art of the patent document 1, the IC card has filestructure so as to be protected by an access key for each file, and areadable-and-writable key by which an access is made to the IC card toread the content of the file and to rewrite the same is managed by onlya host server. Additions and changes to the content written in the ICcard can be performed only by a write instruction from the host serverafter an online connection is made with the host server through theportable terminal. That is, only at a time that thereadable-and-writable key which is sent with the instruction added, thatit is checked on the side of the IC card, and that the check is correct,the file is made accessible. Furthermore, by the readable-and-writablekey belonging to the portable terminal, the data written to the IC cardis read.

In the art of the Patent Document 1, write protection with respect tothe IC card is merely performed for each file by thereadable-and-writable key, and moreover, there is no idea of separatingbetween an area where protection can be performed by thereadable-and-writable key and the other area in the Patent Document 1.Thus, if the protection is broken, large quantities of data can bewritten to the IC card. Moreover, there is no mechanism for confirmingwhether or not the written data is authorized data, and thus, even ifthe data is data illegally written, this may be utilized in the portableterminal.

SUMMARY OF THE INVENTION

Therefore, it is a primary object of the present invention to provide anovel writing area security system, and a memory controller and asecurity method which are utilized therefor.

Another object of the present invention is to provide a writing areasecurity system, and a memory controller and a security method which areutilized therefor capable of, even if unintended data is written to awriting area, preventing the data from being illegally used.

The present invention employs following features in order to solve theabove-described problems. It should be noted that reference numerals andthe supplements inside the parentheses show one example of acorresponding relationship with the embodiments described later for easyunderstanding of the present invention, and do not limit the presentinvention.

A first invention is a writing area security system including a storingmeans having a predetermined writing area, a controlling meanscontrolling writing to and reading from the storing means, and a host tobe connected to the controlling means. The host includes an instructiontransmitting means for transmitting a reading instruction of data storedin the predetermined writing area to the controlling means. Thecontrolling means includes a format determining means for determiningwhether or not the data read from the predetermined writing area inresponse to the reading instruction is in a predetermined format and anoutput means for outputting the data to the host only when the formatdetermining means determines that the data is in the predeterminedformat.

In the first invention, a writing area security system (10, 100)includes a storing means (64), a controlling means (62), and a host(34). In the storing means, a predetermined writing area (206) isprovided. The controlling means controls writing to and reading from thestoring means. The host is a host computer which entirely controls thesystem, such as a host CPU, a host processor, or the like, and can beconnected to the controlling means so as to control the controllingmeans. The host includes an instruction transmitting means (S507) totransmit a reading instruction of data stored in the predeterminedwriting area to the controlling means. The controlling means includes aformat determining means (S621, S623) to determine whether or not thedata read from the predetermined writing area in response to the readinginstruction is in a predetermined format. The controlling means furtherincludes an output means (S625) to output the data to the host only whenthe format determining means determines that the data is in thepredetermined format.

According to the first invention, it is determined whether or not thedata read from the predetermined writing area is in the predeterminedformat, and the data being in the predetermined format is output to thehost. Accordingly, even if data not being in the predetermined format iswritten to the predetermined writing area, the data is not output to thehost, capable of preventing unintended data from being illegally used.

A second invention is a writing area security system according to thefirst invention, and the storing means has a first area and a secondarea, the controlling means further includes a first writing means forwriting data to the first area in a writable mode to which a transitionis made in response to a first transition command, and the formatdetermining means determines only with respect to the data read from thesecond area as the predetermined writing area whether or not the data isin the predetermined format.

In the second invention, the storing means is provided with a first area(204) and a second area (206). The controlling means further includes afirst writing means (S83, S267) to write data to the first area in awritable mode to which a transition is made in response to a firsttransition command. Additionally, the format determining meansdetermines only with respect to the data read from the second area asthe predetermined writing area whether or not the data is in thepredetermined format.

According to the second invention, it is possible to perform protectionaccording to the format determination only on the predetermined writingarea out of the storing means, and it is possible to perform writingallowing protection according to a transition to the writable mode onthe other area. Thus, it is possible to perform appropriate writing byusing different writing areas for different writing uses.

A third invention is a writing area security system according to thefirst invention, and the controlling means further includes an addressdetermining means for determining whether or not a reading addressdesignated from the host is within an accessible area out of thepredetermined writing area, and when the address determining meansdetermines that the reading address is within the area, the formatdetermining means determines whether or not the read data is in thepredetermined format.

In the third invention, the controlling means further includes anaddress determining means (S619) to determine whether or not a readingaddress designated from the host is within an accessible area out of thepredetermined writing area. When it is determined that the readingaddress is within the accessible area, it is determined whether or notthe read data is in the predetermined format.

According to the third invention, it is possible to determine whetherthe predetermined format or not only with respect to the data to whichthe reading designation is appropriately made.

A fourth invention is a writing area security system according to thefirst invention, and the format determining means makes a determinationby a parity check of the read data.

In the fourth invention, by the parity check of the read data, whetherthe predetermined format or not is determined. Thus, it is possible toeasily check authentication of the data.

A fifth invention is a writing area security system according to thefirst invention, and the controlling means makes a transition to anillegal mode when the format determining means determines that the readdata is not in the predetermined format.

In the fifth invention, when it is determined that the read data is notin the predetermined format, the controlling means makes a transition toan illegal mode. Thus, it is possible to prevent data reading from beingperformed from the predetermined writing area and prevent the data whichis illegally written from being used.

A sixth invention is a writing area security system according to thefirst invention, and the host includes a writing data generating meansfor generating data to which a parity bit is added, and the controllingmeans includes a second writing means for writing the data generated bythe writing data generating means in the predetermined writing area.

In the sixth invention, the host includes a writing data generatingmeans (S403) to generate data to which a parity bit is added. Forexample, the first seven bits of each byte is data to be written to thepredetermined writing area, and parity of the first seven bits is addedto the last bit. The controlling means further includes a second writingmeans (S409) to write the generated data with parity in thepredetermined writing area.

According to the sixth invention, at a time of writing to thepredetermined writing area, after the writing data is converted to datato which the parity bit is added, it can be written to the predeterminedarea. Thus, at a time of reading from the predetermined writing area,the data is determined to be authenticated data having the predeterminedformat, and then output to the host.

A seventh invention is a writing area security system according to thesecond invention, and the storing means stores boundary data between thefirst area and the second area.

In the seventh invention, in the storing means, the boundary databetween the first area and the second area is stored. While grasping thefirst area and the second area, the controlling means can access thesame by reference to the boundary data of the first area and theboundary data of the second area.

An eighth invention is a writing area security system according to thesecond invention, and includes a server and an information processingapparatus for downloading data from the server. The informationprocessing apparatus includes a storing means, a controlling means and ahost. The server includes a transition command transmitting means fortransmitting to the information processing apparatus the firsttransition command to cause the controlling means to make a transitionto a writable mode as to the first area of the storing means to theinformation processing apparatus, and a data transmitting means fortransmitting data to be downloaded.

In the eighth invention, a system (100) includes a server (102) and aninformation processing apparatus (10). The information processingapparatus includes the above-described storing means, controlling meansand host, and downloads data from the server. The location where thedownloaded data is to be written is a first area of the storing means.That is, the first writing means writes the data to the first area inthe writable mode to which a transition is made in response to the firsttransition command. A server includes a transition command transmittingmeans (S33, S323) to transmit to the information processing apparatusthe first transition command to cause the controlling means to make atransition to the writable mode as to the first area. The server furtherincludes a data transmitting means (S67, S341) to transmit data to bedownloaded to the information processing apparatus.

According to the eighth invention, writing of the data allowing stepwiseprotection by the transition to the writable mode in response to thefirst transition command from the server can be performed on the firstarea while protection by the determination of the format can beperformed on the second area.

A ninth invention is a writing area security system according to theeighth invention, and the server further includes an encrypting meansfor encrypting the first transition command. The transition commandtransmitting means transmits the first transition command encrypted bythe encrypting means, and the controlling means further includes adecrypting means for decrypting the encrypted first transition command.

In the ninth invention, the server further includes an encrypting means(S31) to encrypt the first transition command. The encrypted firsttransition command is transmitted by the transition command transmittingmeans. The controlling means further includes a decrypting means (S37,S227) to decrypt the encrypted first transition command.

According to the ninth invention, as to the writing to the first area,the first transition command can be encrypted and transmitted, capableof heightening the degree of security with respect to the modetransition.

A tenth invention is a writing area security system according to theeighth invention, and the first transition command includes an addressdesignated for writing the data to be downloaded. The controlling meansfurther includes write-enabling means for making only the designatedaddress writable out of the first area when a transition is made to thewritable mode as to the first area in response to the first transitioncommand.

In the tenth invention, an address for writing data can be designated inthe first transition command. The controlling means further includes awrite-enabling means (S45, S237) to make only the designated addresswritable out of the first area.

According to the tenth invention, by the first transition command, it ispossible to make a transition to the writable mode and make only theaddress designated by the command writable.

An eleventh invention is a writing area security system according to thetenth invention, and the write-enabling means makes a fixed range fromthe designated address out of the first area writable.

In the eleventh invention, by the first transition command, it ispossible to make a transition to the writable mode and make a fixedrange from the designated address writable.

A twelfth invention is a writing area security system according to theninth invention, and the controlling means decrypts the encrypted firsttransition command in a secure mode being higher in a degree of securitythan usual to which a transition has been made direct before thewritable mode as to the first area.

In the twelfth invention, a secure mode being higher in a degree ofsecurity than usual is provided directly before the writable mode, andin the secure mode, decryption of the encrypted first transition commandis performed.

According to the twelfth invention, the decryption of the firsttransition command can be performed in the secure mode, capable ofheightening the degree of security.

A thirteenth invention is a writing area security system according tothe ninth invention, and the server stores a first key for encryptingthe first transition command, and a second key different from the firstkey for encrypting the data to be downloaded. The encrypting meansencrypts the first transition command by utilizing the first key. Thedata transmitting means transmits the data to be downloaded encrypted byutilizing the second key. The storing means stores the first key and thesecond key. The decrypting means decrypts the encrypted first transitioncommand by utilizing the first key. The first writing means decrypts theencrypted data to be downloaded by utilizing the second key in thewritable mode as to the first area and writes the same to the firstarea.

In the thirteenth invention, a first key for encrypting the firsttransition command and a second key different from the first key forencrypting the data to be downloaded are stored in the server and thestoring means. That is, the server and the controlling means have acommon key (first key) for the first transition command and a common key(second key) for the data to be downloaded. The first transition commandwhich is encrypted with the first key and transmitted by the server isdecrypted with the first key by the controlling means, and thecontrolling means makes a transition to the writable mode by the firsttransition command. Furthermore, the download data which is encryptedwith the second key and transmitted by the server is decrypted with thesecond key by the controlling means, and written to the storing means inthe writable mode.

According to the thirteenth invention, it is possible to separatelyperform protection on the mode transition and the download data, capableof further heightening the degree of security.

A fourteenth invention is a writing area security system according tothe thirteenth invention, and the server further stores a third key formessage digest authentication of the data to be downloaded. The datatransmitting means encrypts, by utilizing the second key, the data to bedownloaded to which an authentication symbol generated by utilizing thethird key is added, and transmits the encrypted data. The storing meansfurther stores the third key. The controlling means decrypts theencrypted data by utilizing the second key in the writable mode as tothe first area. The first writing means, when the decrypted data isauthenticated by utilizing the third key, writes the data in the firstarea.

In the fourteenth invention, the third key for message digestauthentication of the data to be downloaded is stored in the server andthe storing means. The server encrypts the data to which theauthentication symbol (MIC) generated by utilizing the third key isadded with the second key and transmits the same. The controlling meansdecrypts the encrypted data with the second key in the writable mode.Then, when the decrypted data is authenticated by utilizing the thirdkey, the data is written to the first area.

According to the fourteenth invention, it is possible to perform themessage digest authentication with respect to the data to be downloaded.

A fifteenth invention is a writing area security system according to thefourteenth invention, and the third key is a key obtained by a part ofthe second key being replaced.

In the fifteenth invention, the third key for message digestauthentication is a key obtained by a part of the second key forencrypting the data to be downloaded being replaced. Accordingly, if acommon part is shared between the second key and the third key, the sizeof the area for storing the key can be reduced, resulting in reductionin cost.

A sixteenth invention is a writing area security system according to thetwelfth invention, and the storing means stores the encrypted first keyand second key. The controlling means decrypts the encrypted first keyand develops the same in a RAM when a transition to the secure mode ismade, and decrypts the encrypted second key and develops the same in theRAM when a transition to the writable mode as to the first area is made.

In the sixteenth invention, in the storing means, the first key and thesecond key are encrypted and stored. When a transition to the securemode is made, the first key is decrypted and automatically developed inthe RAM by the controlling means. When a transition to the writable modeis made, the second key is decrypted and automatically developed in theRAM by the controlling means.

According to the sixteenth invention, at a time of the mode transition,the first key or the second key corresponding to the mode can bedecrypted and developed in the RAM.

A seventeenth invention is a writing area security system according tothe sixteenth invention, and the controlling means develops the firstkey in response to a second transition command for making a transitionto the secure mode, and develops the second key in response to the firsttransition command.

In the seventeenth invention, when a mode transition is made in responseto the transition command by the controlling means, the first key or thesecond key is decrypted and developed.

According to the seventeenth invention, in response to the transitioncommand, the first key or the second key corresponding to the mode canbe decrypted and developed.

An eighteenth invention is a writing area security system according tothe eighth invention, and the host further includes a normal encryptingmeans for performing an encryption according to an algorithm of arelatively low processing load on the command issued with respect to thecontrolling means in a normal mode.

In the eighteenth invention, it is possible to encrypt the commandissued to the controlling means in the normal mode by the normalencrypting means according to an algorithm of a relatively lowprocessing load.

A nineteenth invention is a writing area security system according tothe eighth invention, and the host further includes a writing commandissuing means for issuing a writing command to instruct the controllingmeans to perform writing, and the controlling means writes the data tobe downloaded to the first area in response to the writing command inthe writable mode as to the first area.

In the nineteenth invention, the host includes a writing command issuingmeans (S73, S143) to issue a writing command to the controlling means.The controlling means performs writing the data in response to thewriting command in the writable mode.

According to the nineteenth invention, in response to the writinginstruction from the host, the data downloaded from the server can bewritten to the storing means. The data transmission and the data writingare separately processed, capable of heightening the degree of security.

A twentieth invention is a writing area security system according to theninth invention, and the storing means stores identification informationof the storing means. The information processing apparatus includes anidentification information transmitting means for transmitting theidentification information stored in the storing means to the server.The server stores a plurality of first keys for encrypting the firsttransition command, each of which is brought into correspondence with arespective one of the plurality of identification information. Theencrypting means encrypts the first transition command by utilizing thefirst key corresponding to the identification information of the storingmeans.

In the twentieth invention, the storing means stores identificationinformation of the storing means. The identification information istransmitted to the server by an identification information transmittingmeans (S5, S105). On the other hand, the server stores a plurality offirst keys, each of which is brought into correspondence with arespective one of the plurality of identification information. That is,the first key for encrypting the first transition command is preparedfor each storing means, and stored in the storing means and the server.The first transition command is encrypted by the encrypting means byutilizing the first key corresponding to the received identificationinformation.

According to the twentieth invention, it is possible to encrypt thefirst transition command by the first key for each storing means, andcause the controlling means to make a transition to the writable mode bythe first transition command, capable of heightening the degree ofsecurity.

A twenty-first invention is a writing area security system according tothe ninth invention, and the storing means stores identificationinformation of an application program stored in the storing means. Theinformation processing apparatus includes identification informationtransmitting means for transmitting the identification informationstored in the storing means to the server. The server stores a pluralityof first keys for encrypting the first transition command, each of whichis brought into correspondence with a respective one of the plurality ofidentification information. The encrypting means encrypts the firsttransition command by utilizing the first key corresponding to thereceived identification information of the application program.

In the twenty-first invention, the storing means stores identificationinformation of an application program stored in the storing means. Theidentification information is transmitted to the server by anidentification information transmitting means (S105). On the other hand,the server stores a plurality of first keys, each of which is broughtinto correspondence with a respective one of the plurality ofidentification information. That is, the first key for encrypting thefirst transition command is prepared for each application (game), andstored in the storing means and the server. The first transition commandis encrypted by the encrypting means by utilizing the first keycorresponding to the received identification information.

According to the twenty-first invention, it is possible to encrypt thefirst transition command by the first key for each application and causethe controlling means to make a transition to the writable mode by thefirst transition command, capable of heightening the degree of security.

A twenty-second invention is a writing area security system according tothe first invention, and the storing means and the controlling means areprovided to a detachable storage medium.

In the twenty-second invention, the storing means and the controllingmeans are provided to a storage medium (28) being detachable to thesystem. Accordingly, it is possible to protect the predetermined writingarea of the storing means provided to the storage medium according to adetermination of the format.

A twenty-third invention is a memory controller utilized in a writingarea security system including a storing means having a predeterminedwriting area and a host, and controlling writing to and reading from thestoring means. The memory controller includes a format determining meansfor determining whether or not data read from the predetermined writingarea in response to a reading instruction from the host is in apredetermined format, and an output means for outputting the data to thehost only when the format determining means determines that the data isin the predetermined format.

In the twenty-third invention, a memory controller (62) is utilized in awriting area security system (10, 100) including a storing means (64)and a host (34). The memory controller controls writing to and readingfrom the storing means having the predetermined writing area (206). Morespecifically, the memory controller includes a format determining means(S621, S623) to determine whether or not data read from thepredetermined writing area in response to a reading instruction from thehost is in a predetermined format. The memory controller furtherincludes an output means (S625) to output the data to the host only whenit is determined that the data is in the predetermined format.

According to the twenty-third invention, it is possible to implement awriting area security system which is not utilized when unintended datais written as in the above-described first invention.

A twenty-fourth invention is a security method in a writing areasecurity system including a storing means having a predetermined writingarea, a controlling means for controlling writing to and reading fromthe storing means, and a host to be connected to the controlling means.The security method includes a step of determining whether or not dataread from the predetermined writing area in response to a readinginstruction from the host by the controlling means is in a predeterminedformat, and a step of outputting the data to the host by the controllingmeans only when it is determined that the data is in the predeterminedformat.

In the twenty-fourth invention, a security method is as to apredetermined writing area (206) in a writing area security system (10,100) including a storing means (64), a controlling means (62), and ahost (34). In the method, the controlling means determines whether ornot data read from the predetermined writing area in response to areading instruction from the host by the controlling means is in apredetermined format (S621, S623). The controlling means outputs thedata to the host only when it is determined that the data is in thepredetermined format (S625).

According to the twenty-fourth invention, it is possible to implementthe writing area security system as in the above-described firstinvention.

According to the present invention, when data is read from thepredetermined writing area, whether or not the data is in thepredetermined format is determined, and only when the data is in thepredetermined format, the data is output to the host. Thus, in a casethat unintended data is written to the predetermined writing area, thedata is not output to the host. Thus, even if unintended data is writtento the predetermined writing area, it is possible to prevent the datafrom being illegally used.

The above described objects and other objects, features, aspects andadvantages of the present invention will become more apparent from thefollowing detailed description of the present invention when taken inconjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an illustrative view showing one embodiment of a securitysystem of the present invention.

FIG. 2 is an illustrative view showing a game apparatus shown in FIG. 1.

FIG. 3 is a block diagram showing one example of an electricconfiguration of the game apparatus shown in FIG. 2.

FIG. 4 is an illustrative view showing one example of a memory map of aflash memory shown in FIG. 3.

FIG. 5 is an illustrative view showing an outline of a mode transitionof a memory controller shown in FIG. 3.

FIG. 6 is an illustrative view showing a change of the memory map of theflash memory in a case of a transition to a download mode.

FIG. 7 is an illustrative view showing a change of the memory map of theflash memory in a case of a transition to a backup mode.

FIG. 8 is an illustrative view showing one example of a memory map of aninformation area shown in FIG. 4.

FIG. 9 is an illustrative view showing one example of a memory map of aninternal RAM of the memory controller.

FIG. 10 is an illustrative view showing a change of a memory map of akey memory area shown in FIG. 9.

FIG. 11 is an illustrative view showing one example of a database of aserver shown in FIG. 1.

FIG. 12 is an illustrative view showing one example of a memory map of aRAM of a server.

FIG. 13 is an illustrative view showing one example of a memory map of aRAM of the game apparatus at a time of download processing.

FIG. 14 is an illustrative view showing one example of the memory map ofthe RAM of the game apparatus at a time of backup processing.

FIG. 15 is an illustrative view showing one example of data with parityto be written to the backup area.

FIG. 16 is a flowchart showing a part of one example of an operation ofthe system at a time of the download processing.

FIG. 17 is a flowchart showing a part of the sequel to FIG. 16.

FIG. 18 is a flowchart showing a part of the sequel to FIG. 17.

FIG. 19 is a flowchart showing a part of the sequel to FIG. 18.

FIG. 20 is a flowchart showing a part of one example of an operation ofthe game apparatus at a time of the download processing.

FIG. 21 is a flowchart showing a part of the sequel to FIG. 20.

FIG. 22 is a flowchart showing the sequel to FIG. 21.

FIG. 23 is a flowchart showing a part of one example of an operation ofthe memory controller at a time of the download processing.

FIG. 24 is a flowchart showing a part of the sequel to FIG. 23.

FIG. 25 is a flowchart showing a part of the sequel to FIG. 24.

FIG. 26 is a flowchart showing a part of the sequel to FIG. 25.

FIG. 27 is a flowchart showing a part of one example of an operation ofthe server at a time of the download processing.

FIG. 28 is a flowchart showing a part of the sequel to FIG. 27.

FIG. 29 is a flowchart showing the sequel to FIG. 28.

FIG. 30 is a flowchart showing one example of an operation of the gameapparatus at a time of backup writing.

FIG. 31 is a flowchart showing one example of an operation of the gameapparatus at a time of backup reading.

FIG. 32 is a flowchart showing a part of one example of an operation ofthe memory controller in a backup mode.

FIG. 33 is a flowchart showing a sequel to FIG. 32.

BEST MODE FOR PRACTICING THE INVENTION

Referring to FIG. 1, a security system (hereinafter referred to as“system”) 100 of an embodiment of the present invention includes aninformation processing apparatus 10 and a server 102. The informationprocessing apparatus 10 downloads data from the server 102 to store thedata in a predetermined memory area. The system 100 of this embodimentis a download security system, and is for preventing the predeterminedmemory area for writing downloaded data from being utilized by anunauthorized download. Furthermore, the information processing apparatus10 also functions as a security system for a backup data writing area,and is for preventing a predetermined memory area for writing the backupdata from being used illegally. Here, the system 100 may function as asecurity system for a backup data writing area.

It should be noted that the information processing apparatus 10 isimplemented in a form of a portable game apparatus in this embodiment,but in another embodiment, this may be a computer in another form, suchas a mobile information terminal, a cellular phone, a personal computer,a console game apparatus, or the like. Additionally, the server 102 is acomputer, and has a CPU, a RAM, a ROM, an HDD, a communication device,and the like although illustration is omitted.

The information processing apparatus, that is, the game apparatus 10 canconnect to the server 102 via an access point 104 and a network 106. Thenetwork 106 is a wide area network (WAN), the Internet or the like, ormay be a local area network (LAN). When downloading data from the server102, the game apparatus 10 connects to the access point 104 by wireless(or wired), and communicates with the server 102 on the network 106 viathe access point 104. Here, the game apparatus 10 fetches IP addressesof the access point 104 and the server 102 according to an input or alist selection by the user, or the like.

Referring to FIG. 2, the game apparatus 10 includes a first liquidcrystal display (LCD) 12 and a second LCD 14. The LCD 12 and the LCD 14are set on a housing 16 so as to be arranged in predetermined positions.In this embodiment, the housing 16 comprises an upper housing 16 a and alower housing 16 b, and the LCD 12 is provided on the upper housing 16 awhile the LCD 14 is provided on the lower housing 16 b. Accordingly, theLCD 12 and the LCD 14 are closely arranged so as to be longitudinally(vertically) parallel with each other.

In addition, although an LCD is utilized as a display in thisembodiment, an EL (Electronic Luminescence) display, a plasmaticdisplay, etc. may be used in place of the LCD.

As can be understood from FIG. 2, the upper housing 16 a has a planeshape little larger than a plane shape of the LCD 12, and has an openingformed so as to expose a display surface of the LCD 12 from one mainsurface thereof. On the other hand, the lower housing 16 b has a planeshape and a size approximately the same as those of the upper housing 16a, and has an opening formed so as to expose a display surface of theLCD 14 at approximately the center of the horizontal direction. Also, apower switch 18 is provided at the right side surface of the lowerhousing 16 b.

Furthermore, the upper housing 16 a is provided with sound release holes20 a and 20 b for speakers 36 a and 36 b (see FIG. 3) on both sides ofthe LCD 12.

The upper housing 16 a and the lower housing 16 b are rotatablyconnected at a lower side (lower edge) of the upper housing 16 a and apart of an upper side (upper edge) of the lower housing 16 b.Accordingly, in a case that a game is not played, for example, if theupper housing 16 a is rotatably folded such that the display surface ofthe LCD 12 and the display surface of the LCD 14 are face to face witheach other, it is possible to prevent the display surface of the LCD 12and the display surface of the LCD 14 from being damaged, such as aflaw, etc. It should be noted that the upper housing 16 a and the lowerhousing 16 b are not necessarily rotatably connected with each other,and may alternatively be provided integrally (fixedly) to form thehousing 16.

Then, a microphone hole 20 c for a microphone (not illustrated) isformed at the center of the connected portion between the upper housing16 a and the lower housing 16 b. This makes it possible to perform gameprocessing on the basis of a sound signal by a sound, a voice or abreath which are taken from the microphone.

Furthermore, the lower housing 16 b is provided with an operating switch22 (22 a, 22 b, 22 c, 22 d, 22 e, 22L and 22R). The operating switch 22includes the direction instructing switch (cross switch) 22 a, the startswitch 22 b, the select switch 22 c, the action switch (A button) 22 d,the action switch (B button) 22 e, the action switch (X button) 22 f,the action switch (Y button) 22 g, the action switch (L button) 22L andthe action switch (R button) 22R.

The switch 22 a is arranged at the left of the LCD 14 on the one surfaceof the lower housing 16 b. The other switches 22 b-22 g are arranged atthe right of the LCD 14 on the one surface of the lower housing 16 b. Inaddition, the operating switches 22L and 22R are arranged at the rightand left corners on the upper side surface of the lower housing 16 b.Here, the action switches 22L and 22R are provided on a back surface ofthe lower housing 16 b, and shown by dotted line because they are hiddenunder the connected portion in a front view as shown in FIG. 2.

The direction instructing switch 22 a functions as a digital joystick,and is utilized for instructing a traveling direction (moving direction)of a player object (or player character) to be operated by a user or aplayer and instructing a traveling direction of a cursor, and so forthby operating any one of four depression portions. Also, a specific rolecan be assigned to each of the four depression portions, and byoperating any one of the four depression portions, it is possible toinstruct (designate) the assigned role.

The start switch 22 b is formed by a push button, and is utilized forstarting (restarting), temporarily stopping (pausing) a game, and soforth. The select switch 22 c is formed by the push button, and utilizedfor a game mode selection, etc.

The action switch 22 d, that is, the A button is formed by the pushbutton, and allows the player object to perform an arbitrary actionexcept for instructing the direction, such as hitting (punching),throwing, holding (obtaining), riding, jumping, etc. For example, in anaction game, it is possible to apply an instruction of jumping,punching, moving arms, etc. In a role-playing game (RPG) and asimulation RPG, it is possible to apply an instruction of obtaining anitem, selecting and determining arms or command, etc. The action switch22 e, that is, the B button is formed by the push button, and isutilized for making a transition to a game mode selected by the selectswitch 22 c, canceling an action determined by the A button 22 d, and soforth.

The action switch 22 f, that is, the X button and the action switch 22g, that is, the Y button are formed by the push buttons, and areutilized for a subsidiary operation when the game cannot be advancedonly with the A button 22 d and the B button 22 e. It should be notedthat the X button 22 f and the Y button 22 g can be used for theoperations similar to the A button 22 d and B button 22 e. Of course,the X button 22 f and the Y button 22 g are not necessarily utilized inthe game play.

The action switch (left depression button) 22L and the action switch(right depression button) 22R are formed by the push buttons, and theleft depression button (L button) 22L and the right depression button (Rbutton) 22R can be used for the operation the same as the A button 22 dand the B button 22 e, and also function as a subsidiary of the A button22 d and the B button 22 e. In addition, the L button 22L and the Rbutton 22R can change the roles assigned to the direction switch 22 a,the A button 22 d, the B button 22 e, the X button 22 f, and the Ybutton 22 g to other roles.

Also, on a top surface of the LCD 14, a touch panel 24 is provided. Asthe touch panel 24, any kinds of a resistance film system, an opticalsystem (infrared rays system) and an electrostatic capacitive couplingsystem, for example, can be utilized. In response to an operation (touchinput) by depressing, stroking, touching, and so forth with a stick 26,a pen (stylus pen), or a finger (hereinafter, referred to as “stick 26,etc.”) on a top surface of the touch panel 24, the touch panel 24detects coordinates of an operated position by the stick 26, etc. tooutput coordinates data corresponding to the detected coordinates.

It should be noted that in this embodiment, a resolution of the displaysurface of the LCD 14 (the same is true for the LCD 12) is 256 dots×192dots. A detection accuracy of the touch panel 24 is also rendered 256dots×192 dots in correspondence to the resolution of the displaysurface. However, the detection accuracy of the touch panel 24 may belower than the resolution of the display surface, or higher than it.

Different game screens may be displayed on the LCD 12 and the LCD 14.For example, in a racing game, a screen viewed from a driving seat isdisplayed on the one LCD, and a screen of entire race (course) may bedisplayed on the other LCD. Furthermore, in the RPG, a map, characterssuch as a player object, etc. are displayed on the one LCD, and itemsbelonging to the player object may be displayed on the other LCD.Additionally, a game screen including a player object and a non-playerobject, etc. may be displayed on the one LCD, and a game screenincluding information relating to the player object and the non-playerobject or an operation screen for operating the player object can bedisplayed on the other LCD. Furthermore, by utilizing the two LCD 12 andLCD 14 as one screen, it is possible to display a large monster (enemyobject) to be defeated by the player object.

Accordingly, the player is able to point (operate) an image such as aplayer object, an enemy object, an item object, an operating object,etc. to be displayed on the screen of the LCD 14 and select (input)commands by operating the touch panel 24 with the use of the stick 26,etc. Also, it is possible to change the direction of a virtual camera(viewpoint) (direction of the line of sight) provided in the virtualgame space (three-dimensional game space), and instruct a scrolling(gradual moving display) direction of the game screen (map).

Additionally, depending on the kind of the game, other inputinstructions can be made with the use of the touch panel 24. Forexample, it is possible to input by hand texts, numbers, symbols, etc.on the LCD 14 of the touch panel 24.

Thus, the game apparatus 10 has the LCD 12 and the LCD 14 as a displayportion of two screens, and by providing the touch panel 24 on an uppersurface of any one of them (LCD 14 in this embodiment), the gameapparatus 10 has the two screens (12, 14) and two kinds of the operatingportions (22, 24).

Although the first LCD 12 and the second LCD 14 are vertically arranged,the arrangement of the two LCDs may be changed as necessary. In anotherembodiment, the first LCD 12 and the second LCD 14 may horizontally bearranged.

Furthermore, in this embodiment, two LCDs are provided, but the numberof LCDs as a display means can be changed as necessary. In anotherembodiment, a vertically-long LCD is provided, and by verticallydividing the display areas into two, two game screens may be displayedon the respective display areas, or a horizontally-long LCD is provided,and by horizontally dividing the display area side by side, two gamescreens may be displayed on the respective display areas.

In addition, the stick 26 can be housed in the housing portion (notshown) provided on the lower housing 16 b, for example, and taken out asnecessary. It should be noted that if the stick 26 is not provided, thehousing portion also need not to be provided.

Moreover, the game apparatus 10 includes a memory card (or cartridge)28. The memory card 28 is a storage medium detachable to the gameapparatus 10, and inserted into a loading slot 30 (shown by dotted linesin FIG. 2) provided on an upper edge surface of the lower housing 16 b.A connector 32 (see FIG. 3) for connecting to a connector 60 provided atan end portion of the memory card 28 in the loading direction isprovided at a depth portion of the loading slot 30, and when the memorycard 28 is loaded into the loading slot 30, the connectors are connectedwith each other, and therefore, the memory card 28 is accessible by aCPU 34 (see FIG. 3) of the game apparatus 10.

Furthermore, although omitted in FIG. 1, a battery accommodating box isprovided on a rear surface of the lower housing 16 b, a volume switch,an earphone jack, etc. are provided on the lower edge surface (bottomsurface) of the lower housing 16 b, and an external expansion connectoris provided on the upper edge surface (top surface), for example.

FIG. 3 is a block diagram showing an electrical configuration of thegame apparatus 10. Referring to FIG. 3, the game apparatus 10 includesan electronic circuit board 38, and on the electronic circuit board 38,circuit components, such as a CPU 34, etc. are mounted. The CPU 34 isconnected to the above-described connector 32 via a bus 40, and isconnected with a RAM 42, a first graphics processing unit (GPU) 44, asecond GPU 46, an input-output interface circuit (hereinafter, referredto as “I/F circuit”) 48, an LCD controller 50, and a wirelesscommunication portion 58.

The connector 32 is detachably connected with the memory card 28 asdescribed above. The memory card 28 includes a memory controller 62 anda flash memory 64, and the memory controller 62 is connected to theflash memory 64 and the connector 60 via a bus. Accordingly, asdescribed above, the CPU 34 can access the flash memory 64 via thememory controller 62.

The memory controller 62 is a controlling apparatus for controllingwriting and reading to and from the flash memory 64. The memorycontroller 66 has a RAM 66 as an internal memory.

The flash memory 64 stores in advance a game program for a game to beexecuted in the game apparatus 10, image data (images of characters andobjects, background images, item images, icon (button) images, messageimages, etc.) and data of sound (music) (sound data), etc. necessary forthe game. Furthermore, as described later, in the flash memory 64, anarea for saving downloaded data and an area for storing backup data,such as proceeding data of the game and result data of the game areprovided. Furthermore, in this embodiment, a NAND-type flash memory isapplied as a flash memory 64. In another embodiment, another nonvolatilememory may be applied.

The RAM 42 of the game apparatus 10 is utilized as a buffer memory or aworking memory. That is, the CPU 34 loads the game program, the imagedata, the sound data, etc. stored in the memory card 28 into the RAM 42,and executes the loaded game program. Furthermore, the CPU 34 executes agame processing while storing data (game data, flag data, etc.)temporarily generated or obtained in correspondence with a progress ofthe game in the RAM 42.

It should be noted that the game program, the image data, the sounddata, etc. are read from the memory card 28 entirely at a time, orpartially and sequentially so as to be stored into the RAM 42.

Here, in the game apparatus 10, an application other than the game maybe executed, and in such a case, necessary data for the program and theimage data, etc. as to the application may be stored in the flash memory64 of the memory card 28. Furthermore, sound (music) data may be storedas required.

Each of the GPU 44 and the GPU 46 forms a part of a rendering means, isconstructed by, for example, a single chip ASIC, and receives a graphicscommand (drawing instruction) from the CPU 34 to generate image dataaccording to the graphics command. It should be noted that the CPU 34applies an image generation program (included in the game program)required to generate the image data to both of the GPU 44 and GPU 46 inaddition to the graphics command.

Furthermore, the GPU 44 is connected with a first video RAM (hereinafterreferred to as “VRAM”) 52, and the GPU 46 is connected with a secondVRAM 54. The GPU 44 and the GPU 46 respectively access the first VRAM 52and the second VRAM 54 to obtain necessary data (image data: polygondata, texture data, etc.) to execute a graphics command.

In addition, the CPU 34 writes image data necessary for drawing to thefirst VRAM 52 and the second VRAM 54 via the GPU 44 and the GPU 46. TheGPU 44 accesses the VRAM 52 to produce image data necessary for drawingand stores the same in a rendering buffer of the VRAM 52. The GPU 46accesses the VRAM 54 to produce image data for drawing and stores thesame in the rendering buffer of the VRAM 54. As a rendering buffer, aframe buffer, a line buffer, etc. may be adopted.

The VRAM 52 and the VRAM 54 are connected to the LCD controller 50. TheLCD controller 50 includes a register 56, and the register 56 consistsof one bit, for example, and stores a value of “0” or “1” (data value)according to an instruction of the CPU 34. The LCD controller 50 outputsthe image data produced by the GPU 44 to the LCD 12, and outputs theimage data produced by the GPU 46 to the LCD 14 in a case that the datavalue of the register 56 is “0”. Additionally, the LCD controller 50outputs the image data produced by the GPU 44 to the LCD 14, and outputsthe image data produced by the GPU 46 to the LCD 12 in a case that thedata value of the register 56 is “1”.

Furthermore, the LCD controller 50 can directly read the image data fromthe VRAM 52 and the VRAM 54, or read the image data from the VRAM 52 andthe VRAM 54 via the GPU 44 and the GPU 46.

In addition, the VRAM 52 and the VRAM 54 may be provided in the RAM 42,or a rendering buffer and a Z buffer therefor may be provided in the RAM42.

The I/F circuit 48 is connected with the operating switch 22, the touchpanel 24 and the speakers 36 a, 36 b. Here, the operating switch 22 isthe above-described switches 22 a, 22 b, 22 c, 22 d, 22 e, 22 f, 22 g,22L and 22R, and in response to an operation of the operating switch 22,a corresponding operation signal (operation data) is input to the CPU 34via the I/F circuit 48. Furthermore, coordinates data output from thetouch panel 24 is input to the CPU 34 via the I/F circuit 48. Inaddition, the CPU 34 reads from the RAM 42 the sound data necessary forthe game, such as a game music (BGM), a sound effect or voices of a gamecharacter (onomatopoeic sound), etc., and outputs it from the speakers36 a, 36 b via the I/F circuit 48.

The wireless communication portion 58 is a communication means fortransmitting and receiving data with another game apparatus 10 orcommunication equipment by radio waves. Here, the weak radio wavetransmitted and received by the game apparatus 10 is set in intensity tosuch a degree as not to be restricted by the Radio Law. When the CPU 34applies data such as game data, a command, etc. to the wirelesscommunication portion 58, the wireless communication portion 58modulates communication data to be transmitted to the opponent into awireless signal and transmits it from an antenna. Furthermore, thewireless communication portion 58 receives a wireless signal from theopponent by the antenna to demodulate it to data, and applies the datato the CPU 34. By utilizing the wireless communication portion 58, thegame apparatus 10 can receive and transmit data with other gameapparatuses 10 to thereby execute a communication game. The gameapparatus 10 can connect to the access point 104 and the network 106 viathe wireless communication portion 58, and thus can download a programand data from a server 102 on the network 106, and communicate withanother game apparatus 10 via the network 106.

In the system 10, a predetermined area for writing the data downloadedfrom the server 102 is provided to the flash memory 64 of the memorycard 28. Furthermore, a predetermined area for writing backup data to begenerated during execution of a game (application) is provided to theflash memory 64. One example of the memory map of the flash memory 64 isshown in FIG. 4. The flash memory 64 is provided with an informationarea 200, a game area 202, a download area 204, a backup area 206, etc.Here, FIG. 4 shows a part of the memory map, and can be provided withother areas.

The download area 204 is an area for writing data downloaded from theserver 102, and the backup area 206 is an area for writing backup data.Here, in the information area 200, as shown in FIG. 8 described later,header information of the flash memory 64 and predetermined data arestored in advance. Furthermore, in the game area 202, a game program anddata are stored in advance. The game program includes a game processingprogram, a download processing program, a backup processing program,etc.

An operation of the memory controller 62 is controlled depending on amode such that the writing area provided to the flash memory 64 isprotected stepwise. For each mode, an executable operation by the memorycontroller 62 is restricted, and there is a need of switching the modeto execute a necessary operation. An outline of a mode transition of thememory controller 62 is shown in FIG. 5. The memory controller 62 has agame mode, a DL (Download) secure mode, a download mode, a backup mode,etc. The memory controller 62 is configured to make a mode transition inresponse to various transition commands applied externally (the CPU 34being a host, or the server 102 on the network 106). Additionally, theCPU 34 issues the transition command by executing the applicationprogram (a program stored in the game apparatus 10 may be appropriate)stored in the memory card 28.

The game mode is a normal mode. When the power of the game apparatus 10is turned on, for example, an electric power is supplied from the gameapparatus 10 to the memory controller 62 so as to activate it. Whenbeing activated, the memory controller 62 is placed in the game mode,and is basically in the game mode during execution of the game (morespecifically, when no data is required to be written to the flashmemory) as well. During execution of the game, a program and data haveto be read from the flash memory 64 as necessary, and in this game mode,it is desirable that reading from the flash memory 64 is performed athigh speeds. Thus, in the game mode, the command to be applied to thememory controller 62 may not be encrypted, but even if the command isencrypted, the command may be protected to such a degree to be encryptedby an algorism of low processing load. Additionally, in the game mode,even if the host (CPU 34) issues a data writing command to the flashmemory 64, the memory controller 62 does not accept the command, andthus it is impossible to write the data into the flash memory 64.

The flash memory 64 is provided with a download area 204 for writingdownloaded data in order to download data from the server 102 accordingto a selection by the player or according to a program during executionof the game. In a case of downloading, the degree of security has to beheightened for protecting the flash memory 64 from an unauthorizedcomputer access. Thereupon, the memory controller 62 makes a transitionfrom the game mode in which an access to the flash memory 64 is easy toa mode of a high degree of security.

Furthermore, a transition is not directly made from the game mode to thedownload mode in which download data can be written, but another mode,that is, a DL secure mode in this embodiment is interposed so as toperform protection at two levels when downloading.

More specifically, when a gCHG_DL_MODE command is applied to the memorycontroller 62 in the game mode, the memory controller 62 makes atransition from the game mode to the DL secure mode. Here, thegCHG_DL_MODE command is a transition command for making a transitionfrom the game mode to the DL secure mode, and is issued by the CPU 34 ofthe game apparatus 10.

The DL secure mode is a mode provided for heightening the degree ofsecurity at a time of downloading. In the DL secure mode, a command tobe applied to the memory controller 62 is encrypted. More specifically,an encrypted dsCHG_MODE command is applied to the memory controller 62.Here, the dsCHG_MODE command is a transition command for making atransition from the DL secure mode to the download mode. The transitioncommand to the download mode is not issued from the CPU 34 of the gameapparatus 10, but transmitted from the server 102 after it beingencrypted in the server 102. It should be noted that the CPU 34 of thegame apparatus 10 cannot generate the dsCHG_MODE command. This isbecause the dsCHG_MODE command is to be applied to the memory controller62 in the encrypted state, and the CPU 34 of the game apparatus 10 doesnot have key data for the encryption. The memory controller 62 decryptsthe command received in the DL secure mode, and makes a transition tothe download mode when the command is the dsCHG_MODE command. Forencryption of the transition command, the server 102 and the memory card28 store a common key.

Thus, it is possible to perform protection with respect to a transitionfrom the DL secure mode to the download mode. Furthermore, a transitioncommand to the DL secure mode is issued from the CPU 34 being the hostwhile a transition command to the download mode is issued from theserver 102. That is, the transition to the download mode is enabled bycooperation between the CPU 34 and the server 102, so that it ispossible to further heighten the degree of security.

In the download mode, data downloaded from the server is written to thedownload area 204. The data to be downloaded is encrypted in the serverand transmitted while the received data is decrypted by the memorycontroller 62. Thus, it is possible to protect the data to bedownloaded. Furthermore, the encryption key in the DL secure mode andthe encryption key in the download mode are differentiated from eachother, resulting in the two levels of security. Thus, it is possible toseparately protect the transition command and the data.

The download data is encrypted in the server as described above, andwhen receiving the encrypted data, the CPU 34 transfers it to the memorycontroller 62. For writing the data, the CPU 34 issues a writing command(dWR_PAGE command). In response to the writing command, the memorycontroller 62 executes processing for writing the data, such asdecryption of data, etc. If it is authenticated that the received datais authorized data, the memory controller 62 writes this data to thedownload area 204. The writing to the download area 204 is made possibleonly in the download mode. The memory controller 62 is configured toaccept the writing command issued by the CPU 34 only in the downloadmode, and thus, in another mode, writing to the download area 204 ismade impossible.

After completion of writing the predetermined data, in response to adlCHG_MODE command, the memory controller 62 makes a transition to thegame mode. Here, the dlCHG_MODE command is a transition command formaking a transition from the download mode to the game mode, and issuedfrom the CPU 34.

In the mode transition as to the downloading, accessibility to the flashmemory 64 is changed. FIG. 6 shows the changes of the memory map of theflash memory 64 when a transition to the download mode is made. First,in the game mode, the game area 202 and the download area 204 are set tobe readable only. Then, when a transition is made to the DL secure modein response to the gCHG_DL_MODE command, all the areas are set tounreadable and unwritable states. The processing of the encrypteddsCHG_MODE command is performed in a state that all the areas of theflash memory 64 are made inaccessible. Then, when a transition is madeto the download mode in response to the dsCHG_MODE command, the downloadarea 202 is made accessible. Moreover, in this embodiment, only theblock designated by the dsCHG_MODE command out of the download area 202is made accessible. Thus, depending on the transition of the mode,readable and writable states are changed with respect to each area ofthe flash memory 64, that is, the memory map is changed for each mode,capable of heightening the degree of security.

On the other hand, during execution of the game, the CPU 34 generatesbackup data of the game. The backup area 206 for writing the backup datais provided to the flash memory 64. The writing to the backup area 206itself is to be locally performed in nature, but program data illegallyacquired from the network 106, for example, may be written to the backuparea 206. In order to prevent the backup area 206 from being illegallyused, the degree of security of the backup area 206 is heightened.

As shown in FIG. 5, in order to perform writing to or reading from thebackup area 206, the memory controller 62 makes a transition from thegame mode to the backup mode in response to a gCHG_BK_MODE command.Here, the gCHG_BK_MODE command is a transition command for making atransition from the game mode to the backup mode, and is issued to thememory controller 62 by the CPU 34 being the host. Additionally, inresponse to a bCHG_MODE command, the memory controller 62 makes atransition to the game mode. Here, the bCHG_MODE command is a transitioncommand for making a transition from the backup mode to the game mode,and is issued to the memory controller 62 by the CPU 34 being the host.

In the backup mode, when data is to be written, data to be written istransformed into a predetermined format by the CPU 34, and the data inthe predetermined format is written to the backup area 206 by the memorycontroller 62. On the other hand, when data is to be read, it isdetermined whether or not the read data is in the predetermined formatby the memory controller 62. If it is determined that the data is in thepredetermined format, the data is output to the CPU 34.

However, if it is determined that the data is not in the predeterminedformat, the data is regarded as data being illegally written to thebackup area, and the memory controller 62 makes a transition to anillegal mode. When the transition to the illegal mode is made, the datais not output, thus capable of preventing the backup area from beingillegally used.

Additionally, in this embodiment, when it is determined that the writtendata is not in the predetermined format, the memory controller 62outputs no data, but in another embodiment, the memory controller 62outputs predetermined data indicating that this is unauthorized data tothe CPU 34 to thereby allow the CPU 34 to perceive the illegally writtendata. In this case as well, the written data is not normally output, sothat it is possible to protect the backup area 206 from the unauthorizeduse.

In the mode transition as to the backup as well, accessibility to theflash memory 64 is changed. FIG. 7 shows the changes of the memory mapof the flash memory 64 when a transition is made to the backup mode. Inthe game mode, the game area 202 is set to a state of being readableonly, and the backup area 206 is set to unreadable and unwritablestates. Then, when a transition to the backup mode is made in responseto the gCHG_BK_MODE command, only the backup area 206 is set to theaccessible state. Moreover, in this embodiment, only the blockdesignated by the gCHG_BK_MODE command out of the backup area 206 ismade accessible. Thus, as in the downloading case, in response to thetransition of the mode, readable and writable states are changed withrespect to each area of the flash memory 64, that is, the memory map ischanged for each mode, capable of heighten the degree of security.

It should be noted that in this embodiment, writing to the backup area206 is made possible only after the transition to the backup mode. Thisis because of preventing the data written once at the factory, forexample, from being erroneously overwritten. However, as a modifiedexample, the backup area 206 out of the flash memory 64 may be writableeven in the game mode.

FIG. 8 shows one example of a memory map of the information area 200 ofthe flash memory 64. Additionally, FIG. 8 is a part of the informationarea 200 and also stores other necessary data, such as a start addressof the game area 202, etc.

In a memory area 210, a start address of the download area 204 is storedin advance, and in a memory area 212, a start address of the backup area206 is stored in advance. A size or an end address of the download area204 and the backup area 206 may be stored for the rest. As headerinformation, data capable of discriminating each of the download area204 and the backup area 206 and other areas, that is, boundary data ofeach area may be stored. The memory controller 62 can grasp and accesseach area by referring to the boundary data of each area.

In a memory area 214, an encrypted key 1 is stored in advance. The key 1is a key for DL secure mode (encryption key), that is, a key to be usedin the DL secure mode. By the key 1, the dsCHG_MODE command encrypted inthe server 102 is decrypted.

Additionally, the flash memory 64 stores encrypted keys, so that it ispossible to make the content of the key unreadable even if the flashmemory 64 is taken out from the memory card 28, and the data isillegally read.

In a memory area 216, an encrypted key 2 is stored in advance. The key 2is a key for the download mode (encryption key), that is, a key to beutilized in the download mode. By the key 2, the data to be downloadedwhich is encrypted in the server 102 is decrypted.

In a memory area 218, an encrypted key 3 is stored in advance. The key 3is a key for message digest authentication (encryption key) of the datato be downloaded, that is, a key for calculating a message integritycode (MIC) as an authentication symbol of the data to be downloaded. Itshould be noted that in this embodiment, a configuration in which a partof the key 3 is the same as a part of the key 2 is adopted. That is, thekey 3 is a key obtained by replacing a part of the key 2 (part exceptfor the common part). Then, in the memory area 218, only theabove-described rest part of the key 3 (part except for the part commonto the key 2) is encrypted and stored. When the complete key 3 isrequired for the MIC calculation, the key 3 of the memory area 218 andthe common part of the key 2 are utilized.

In a memory area 220, a unique ID indicating identification informationof the memory card 28 (flash memory 64) is stored. Furthermore, in amemory area 222, a game ID indicating identification information of thegame or the application of the memory card 28 is stored. The game ID maybe a title and a kind of the game.

Additionally, in this embodiment, in the flash memory 64, a key beingspecific to the memory card 28 is stored. That is, keys 1, 2 and 3corresponding to the unique ID are stored. In another embodiment, a keybeing specific to the game title, that is, keys 1, 2 and 3 correspondingto the game ID may be stored.

FIG. 9 shows one example of a memory map of the internal RAM 66 of thememory controller 62. Here, FIG. 9 shows a part of the memory map of theinternal RAM 66.

In a memory area 300, a current mode is stored. By this mode data, thememory controller 62 can grasp the current mode. When receiving acommand, the memory controller 62 may determine, before execution of thecommand, whether or not the command is a command defined as being issuedin the current mode. Thus, it is possible to determine a normally issuedcommand.

A memory area 302 is a key memory area. Keys corresponding to thecurrent mode are stored. As described above, in this embodiment, eachkey is encrypted and stored in the information area 200 of the flashmemory 64. The memory controller 62 reads the key in the work area ofthe internal RAM 66 to decrypt the same, and stores the decrypted key inthe memory area 302. Furthermore, when a transition is made in responseto each transition command, each key may be developed in the memory area302.

More specifically, as shown in FIG. 10, in the DL secure mode, in thekey memory area 302, a decrypted key 1 and a decrypted key 3 (strictly,a part of the key 3 in this embodiment) are stored. Here, the key 1 is akey for the DL secure mode, but in this embodiment, in the game mode aswell, predetermined data (the random number and the unique ID or thegame ID) may be encrypted by utilizing the key 1, so that the key 1 hasalready been stored in the memory area 302 from the game mode.Furthermore, the key 3 is made resident until the power is turned off.The part of the key 3 is smaller than the part shared with the key 2, sothat this is developed in advance. Additionally, when a transition fromthe game mode to the DL secure mode is made, the key 1 is read againfrom the flash memory 64 so as to be decrypted and then developed in thememory area 302. This is a re-development by way of caution in view ofthe fact that the data on the internal RAM 66 may be rewritten due toany accident.

When a transition to the download mode is made, the key 1 is replacedwith the key 2. That is, the key 1 is erased from the memory area 302,and the key 2 is read in the work area from the flash memory 64 so as tobe decrypted, and the decrypted key is stored in the memory area 302.Furthermore, the key 3 is stored as it is. As described above, the key 2is used for encrypting the data to be downloaded in the download modewhile the key 3 is used for calculating the MIC of the data to bedownloaded. As in this embodiment, one part is shared between the key 2and the key 3, so that the size of the area to be ensured for the keymemory area 302 is reduced, resulting in reduction in the capacity ofthe internal RAM 66 and the cost.

Alternatively, in another embodiment, the complete key 3 may be storedin advance, and the key 3 is developed in the key memory area 302.

Returning to FIG. 9, a memory area 304 stores a random number. Therandom number is a pseudo random number, and generated whenpredetermined processing is executed in the memory controller 62.Furthermore, in the memory area 306, a flag indicating a writeprotection is stored. When the write protection is turned on, writing bythe flash memory 64 to the download area 204 is inhibited.

FIG. 11 shows one example of data to be stored in the database of theserver 102. Here, the database is stored in an HDD, a ROM, or the likeof the server 102.

In the database, the data to be downloaded is stored. The data to bedownloaded is data to be stored in the download area 204 of the memorycard 28. For example, a file for downloading may be prepared for eachgame title, that is, in correspondence with the game ID.

Furthermore, key data is stored in the database. In this embodiment, asdescribed above, a specific key is prepared for each memory card 28, sothat a key 1, a key 2 and a key 3 are stored by being brought intocorrespondence with the unique ID. It should be noted that similar tothe memory card 28, with respect to the key 3, a part may be shared withthe key 2, and therefore, the rest part is stored, or the complete key 3may be stored.

Additionally, in another embodiment, keys for each game title may beprepared, that is, the keys 1, 2 and 3 may be stored by being broughtinto correspondence with the game ID.

FIG. 12 shows one example of a memory map of the RAM of the server 102.Here, the memory map shows a part, and other necessary program and dataare also stored.

A memory area 400 is a program memory area, and stores a program forexecuting the download processing of the server 102. The program is readfrom the ROM, the HDD, or the like.

A memory area 402 is a data memory area, and stores data read from theROM, the HDD, or the like, data generated by the CPU, data received fromthe game apparatus 10, etc.

In a memory area 404, a unique ID received first is stored, and in amemory area 406, a game ID is stored. More specifically, when downloadprocessing is started, the unique ID and the game ID are firsttransmitted from the game apparatus 10, and the unique ID and the gameID are respectively stored in the memory areas 404 and 406.

In a memory area 408, the keys read from the database are stored. Inthis embodiment, the keys 1, 2 and 3 corresponding to the unique ID arestored.

In a memory area 410, a random number and a unique ID are stored. Morespecifically, data of the random number and the unique ID which areencrypted with the key 1 are transmitted from the game apparatus 10after the first unique ID, and the random number and the unique IDobtained by decrypting the reception data with the key 1 are stored inthe memory area 410.

In a memory area 412, a block address is stored. More specifically,following the above-described random number and unique ID, a blockaddress where writing is made is transmitted from the game apparatus 10,and the block address is stored in the memory area 412. In thisembodiment, the server 102 transmits a transition command whichdesignates the block address to the memory controller 62 via the gameapparatus 10 to designate the block address where a file to bedownloaded is written.

In a memory area 414, a write file is stored. More specifically, thefile for the data to be downloaded read from the database is stored. Ifthe download data is prepared for each game title, the datacorresponding to the game ID is stored. Alternatively, the datacorresponding to the unique ID, that is, the data for each memory card28 may be read, and predetermined data may be read irrespective of thegame ID and the unique ID. From the write file, a predetermined amountof data is sequentially fetched and transmitted to the game apparatus10.

FIG. 13 shows one example of a memory map of the RAM 42 of the gameapparatus 10 in the download processing. Additionally, FIG. 13 shows apart of the memory map, and other necessary data is stored.

A memory area 500 is a program memory area, in which a program forexecuting the processing by the game apparatus 10 is read from thememory card 28 and stored. The program includes game processing program,download processing program, etc.

A memory area 502 is a data memory area, in which data fetched from thememory card 28, data generated by the CPU 34, data received from theserver 102, etc. are stored.

In a memory area 504, a game ID is stored. The game ID is read from thememory area 222 of the information area 200 of the flash memory 64 bythe memory controller 62 so as to be output, and applied to the CPU 34via the connector 60, the connector 32, etc when the power is turned on.The game ID, when the unique ID is transmitted to the server 102 atfirst, is transmitted together therewith.

In a memory area 506, a block address where the downloaded data is to bewritten is stored. In the game apparatus 10, a space area of thedownload area 204 is ensured, and a block address to be written isdecided from the space area. The block address is transmitted to theserver 102.

In a memory area 508, a file data amount to be downloaded from theserver 102 is stored. The file data amount of the file to be downloadedis transmitted from the server 102, so that the received file dataamount is stored in the memory area 508. By the file data amount, theCPU 34 can determine whether or not all data of the write file have beenwritten.

FIG. 14 shows one example of a memory map of the RAM 42 of the gameapparatus 10 at a time of the backup processing. Here, FIG. 14 alsoshows a part of the memory map similar to FIG. 13.

The memory area 500 is a program memory area, and stores the gameprocessing program, the backup processing program, etc. which are readfrom the memory card 28.

In the memory area 504 of the data memory area 502, similar to thedownload processing in FIG. 13, the game ID read from the memory card 28is stored.

In a memory area 510, data to be written is stored. That is, the backupdata generated during execution of the game (application) by the CPU 34is stored.

In a memory area 512, data with parity is stored. The data to be writtenis transformed in a predetermined format by the CPU 34 and then writtento the backup area 206. In this embodiment, a parity bit is added to thebackup data. The data with parity is written to the backup area 206.

FIG. 15 shows one example of the data with parity. FIG. 15 is structuralexample of page data (512 bytes) of the backup area 206, and in thisembodiment, the data structure of each byte is “7-bit data”+“parity (1bit) of the 7-bit data”. That is, with respect to the data to bewritten, the parity bit of one bit is added to every 7 bits to therebygenerate the data with parity. For example, in a bit string of bits 0-6,if there is an even number of “1”, “1” is written to the bit 7 while ifthere is an odd number of “1” in the bite string, “0” is written to thebit 7.

In a memory area 514, a block address to be written is stored. The CPU34 of the game apparatus 10 ensures a space area of the backup area 206,decides a block address where the data with parity is to be written, andstores the block address in the memory area 514. The block address to bewritten is designated in the transition command for making a transitionto the backup mode.

In a memory area 516, a block address to be read is stored. The CPU 34confirms a storing position of the data to be read of the backup area206, decides the block address to be read, and stores the block addressin the memory area 516. The block address to be read is designated inthe transition command for making a transition to the backup mode.

In a memory area 518, the data read from the backup area 206 of thememory card 28 is stored. Whether the data to be read from the backuparea 206 is data with parity or not is checked by the memory controller62 when being read. If the data is read from the backup area 206, thedata is data authorizedly written to the backup area 206, so that theCPU 34 can remove the parity from the read data to transform it to theoriginal data, and can use the data. On the other hand, if it isdetermined that the data of the backup area 206 is data unauthorizedlywritten data as a result of the parity check, the memory controller 62makes a transition to the illegal mode so as to output no data. Thus,the reading processing of the backup data has not been finished, so thata normal operation cannot be performed.

The entire operation of the system 10 during the download processing isbriefly explained with reference to FIG. 16 to FIG. 19. It should benoted that an operation of each of the game apparatus 10, the memorycontroller 62 and the server 102 at a time of the download processing isexplained by utilizing an individual flowchart.

The download processing is started when the memory controller 62 of thememory card 28 is in the game mode. Referring to FIG. 16, when thedownload processing is started, the CPU 34 of the game apparatus 10issues a gRD_UID command to the memory card 28 in a step S1. The gRD_UIDcommand is a command for reading a unique ID from the memory card 28. Inresponse thereto, the memory controller 62 reads a unique ID from theflash memory 64 and outputs the same to the game apparatus 10 in a stepS3. The CPU 34 transfers the received unique ID to the server 102 in astep S5, and the CPU of the server 102 stores the received unique ID inthe RAM. Thus, the unique ID of the memory card 28 is transmitted to theserver 102. The unique ID is compared with a unique ID which is receivedlater for authenticating the memory card 28.

Succeedingly, the CPU 34 of the game apparatus 10 issues a gRD_IFcommand to the memory card 28 in a step S9. The gRD_IF command is acommand for reading the random number and the unique ID in the memorycard 28. In response thereto, the memory controller 62 outputs thegenerated random number and the unique ID read from the flash memory 64to the game apparatus 10 in a step S11. Here, the random number and theunique ID are encrypted by the key 1 developed in the internal RAM 66.The CPU 34 transfers the received data to the server 102 in a step S13.The CPU of the server 102 decrypts the received data with a key 1 in astep S15. The key 1 to be used is the key 1 corresponding to the uniqueID. Then, the CPU of the server 102 determines whether or not the uniqueID decrypted in the step S15 and the unique ID received first in thestep S7 match with each other in a step S17. If “NO” in the step S17,that is, if the unique ID is different from the unique ID firstreceived, since the memory card 28 cannot be acknowledged as anauthorized card, the CPU of the server 102 ends the download writingprocessing in a step S19.

On the other hand, if “YES” in the step S17, that is, if it isdetermined that the memory card 28 is the authorized card by the server102, the CPU 34 of the game apparatus 10 designates a block address forwriting data to be downloaded in the download area 204 in a step S21.Furthermore, the CPU 34 issues a gCHG_DL_MODE command to the memory card28 in a step S23. The gCHG_DL_MODE command is a transition command formaking a transition from the game mode to the DL secure mode. Inresponse thereto, the memory controller 62 makes a transition to the DLsecure mode in a step S25.

Furthermore, in a step S27, the CPU 34 of the game apparatus 10transmits the block address decided in the step S21 to the server 102.In response thereto, the CPU of the server 102 generates a dsCHG_MODEcommand in a step S29. The dsCHG_MODE command is a transition commandfor making a transition from the DL secure mode to the download mode.The transition command is generated by utilizing the random number andthe unique ID acquired in the step S15 and the block address received inthe step S29. Here, the random number and the unique ID are utilized forauthentication in the memory controller 62, and by the block address,the block address where the download data is to be written isdesignated.

Succeedingly, in a step S31 in FIG. 17, the CPU of the server 102encrypts the generated dsCHG_MODE command with the key 1. Then, in astep S33, the CPU of the server 102 transmits the encrypted dsCHG_MODEcommand to the game apparatus 10. The CPU 34 of the game apparatus 10transfers the received data to the memory card 28 in a step S35. Thememory controller 62 receives the data, and decrypts the received datawith the key 1 in a step S37. Thus, from the dsCHG_MODE command, therandom number and the unique ID can be acquired, and the designatedblock address can also be acquired.

The memory controller 62 determines whether or not the unique ID and therandom number which are acquired from the command match with the randomnumber and the unique in the memory card 28 in a step S39. If “NO” inthe step S39, that is, if the received command is not the authorizedcommand, the memory controller 62 makes a transition to the illegal modein a step S41. This hinders the download processing from advancing tothereby prevent the unauthorized download from being performed.

Alternatively, if “YES” in the step S39, that is, if the receivedcommand is the authorized command, the memory controller 62 makes atransition to the download mode in a step S43, and makes only thedesignated block accessible in a step S45. This makes it possible toperform writing to the block designated by the transition command to thedownload mode. Furthermore, at this time, the key 2 for download mode isdecrypted and developed in the internal RAM 66.

Furthermore, in a step S47, the CPU 34 of the game apparatus 10 issues adlRD_IF command to the memory card 28. The dlRD_IF command is a commandfor reading the random number and the unique ID. In response to thecommand, the memory controller 62 encrypts the random number and theunique ID with the key 2, and outputs the same to the game apparatus 10in a step S49. The CPU 34 of the game apparatus 10 receives the data andtransfers the received data to the server 102 in a step S51. In responsethereto, the CPU of the server 102 receives the data, and decrypts thedata by using the key 2 in a step S53. Thus, the server 102 acquires therandom number and the unique ID from the memory card 28. The randomnumber and the unique ID are used later as initial values when an MIC ofthe data to be downloaded is calculated, and are also used as initialvalues for encryption of the data to be transmitted from server 102.

In addition, in a step S55 in FIG. 18, the CPU 34 of the game apparatus10 issues a dlPRT_OFF command to the memory card 28. The dlPRT_OFFcommand is a command for canceling the write protection. In response tothe command, the memory controller 62 turns the write protection off,making it possible to execute writing to the designated block of thedownload area 204.

Succeedingly, in a step S59, the CPU of the server 102 prepares data tobe downloaded, that is, a write file. Then, in a step S61, the CPU ofthe server 102 fetches data of a predetermined size (2 kbytes in thisembodiment) from the write file. The transmission of the write file fromthe server 102 to the game apparatus 10 (to the memory card 28) isperformed by the predetermined size.

Then, in a step S63, the CPU of the server 102 calculates an MIC of apredetermined size (8 bytes in this embodiment) from the data of 2kbytes by using the key 3. As an initial value for the calculation ofthe MIC, the random number and the unique ID which are acquired in thestep S53 are used. In addition, the CPU of the server 102 generates dataobtained by adding the MIC of 8 bytes to the data of 2 kbytes, andencrypts the generated data with the key 2 in a step S65. Here, as aninitial value for the encryption, the random number and the unique IDwhich are acquired in the step S53 are used. Then, in a step S67, theCPU of the server 102 transmits the encrypted data to the game apparatus10.

In response thereto, in a step S69, the CPU 34 of the game apparatus 10transmits a page address to be written together with the received datato the memory card 28. In response thereto, in a step S71, the memorycontroller 62 receives the data.

Succeedingly, in a step S73, the CPU 34 of the game apparatus 10 issuesa dWR_PAGE command to the memory card 28. The dWR_PAGE command is acommand for writing the data transmitted to the memory card 28 to thedownload area 204. In response to the command, the memory controller 62decrypts the received data received in the step S71 with the key 2 in astep S75. Thus, the data obtained by adding the MIC of 8 bytes to thedata of 2 kbytes can be acquired.

In addition, in a step S77, the memory controller 62 calculates an MICof 8 bytes with respect to the acquired data of 2 kbytes with the key 3.When the MIC is calculated, the random number and the unique ID whichare transmitted in the step S49 are utilized as initial values.

Then, in a step S79, the memory controller 62 determines whether or notthe calculated MIC and the MIC acquired through the decryption matchwith each other. If “NO” in the step S79, that is, if the authorizeddownload data is not received, the memory controller 62 does not performwriting in a step S81. Thus, unauthorized data is not written to thedownload area 204.

On the other hand, if “YES” in the step S79, that is, if the authorizeddata is received, the memory controller 62 writes the received data of 2kbytes to the designated block of the download area 204 in a step S83.

Succeedingly, the CPU 34 of the game apparatus 10 determines whether ornot writing of the file is completed or writing by one block iscompleted in a step S85. In the download mode of this embodiment, withina fixed range (one block in this embodiment) from the designated blockaddress, it is possible to write data without the transition commandfrom the server 102. Accordingly, until the writing by one block iscompleted, or until data less than one block of the writing file iscompleted, operations of transmitting the encrypted data by the CPU ofthe server 102, and decrypting the data and writing the same by thememory controller 62 are repeatedly performed. That is, if “NO” in thestep S85, the process returns to the step S61 in FIG. 18. Thus, makingthe use of the transition command from the server 102 unnecessary as tothe writing within the fixed range offers advantages of capable ofreducing the load of the server 102, and shortening the processing onthe side of the game apparatus 10 as well.

On the other hand, in a case that file writing by one block or more hasto be performed, after ending the download mode once, the process makesa transition to the game mode. The transition command is transmittedfrom the server 102 again to change the mode of the memory controller 62to the download mode, and then, downloading the data is performed.

That is, if “YES” in the step S85, the CPU 34 of the game apparatus 10issues a dlCHG_MODE command to the memory card 28 in a step S87. ThedlCHG_MODE command is a transition command for making a transition fromthe download mode to the game mode. In response thereto, the memorycontroller 62 makes a transition to the game mode in a step S89.

In addition, the CPU 34 of the game apparatus 10 determines whether ornot the writing of the file is completed in a step S91. If “NO” in thestep S91, that is, if there is unwritten data in the write file, theprocess returns to the step S9 in FIG. 16 to repeat the processing fromthe game mode. On the other hand, if “YES” in the step S91, that is, ifall data of the write file is written, the download processing is ended.

Succeedingly, an operation of each of the game apparatus 10, the memorycontroller 62 and the server 102 in the download processing isexplained.

FIG. 20 to FIG. 22 show one example of an operation of the gameapparatus 10 in the download processing. When starting the downloadprocessing, in a step S101 shown in FIG. 20, the CPU 34 issues a gRD_UIDcommand to the memory card 28. The gRD_UID command is a command forreading a unique ID. Furthermore, the gRD_UID command is issued when thememory controller 62 is in the game mode, so that this may be encryptedby an algorithm of a relatively low processing load (scramble, forexample) and output to the memory card 28.

When a command and data are transmitted from the game apparatus 10 tothe memory card 28, the CPU 34 applies the command and the data to theconnector 32, and then, the command and the data are applied to thememory controller 62 via the connector 60.

Next in a step S103, the CPU 34 determines whether or not the unique IDis received from the memory card 28. In response to the gRD_UID command,the memory controller 62 returns the unique ID, and thus, reception ofthe data from the memory controller 62 via the connector 32 is waited.

If “YES” in the step S103, that is, if the unique ID from the memorycontroller 62 is received, the CPU 34 transmits the unique ID and thegame ID to the server 102 in a step S105. More specifically, thereceived unique ID is stored in the data memory area 502 of the RAM 42and the game ID stored in the memory area 504 is read, whereby the dataincluding the unique ID and the game ID is transmitted.

It should be noted that when the data is transmitted from the gameapparatus 10 to the server 10, the CPU 34 applies the data to thewireless communication portion 58, and then, the data is applied fromthe wireless communication portion 58 to the server 102 via the accesspoint 104 and the network 106.

Succeedingly, the CPU 34 issues a gRD_IF command to the memory card 28in a step S107. Here, the gRD_IF command is a command for reading therandom number and the unique ID. The gRD_IF command may also beencrypted by an algorism of a relatively low processing load likescramble and may be transmitted. Then, in a step S109, the CPU 34determines whether or not the data (encrypted random number and uniqueID) is received from the memory card 28. In response to the gRD_IFcommand, the memory controller 62 returns the aforementioned data, andthus reception of the data is waited.

If “YES” in the step S109, that is, if the data from the memorycontroller 62 is received, the CPU 34 transmits the received data(encrypted random number and unique ID) to the server 102 in a stepS111.

Succeedingly, in steps S113 and S115, it is determined whether or notthe result as to whether or not the memory card 28 is an authorized cardis received from the server 102 via the wireless communication portion58. The server 102 returns the result of the authentication of thememory card 28 in response to the data transmission in the step S111,and thus reception of the data from the server 102 is waited. Morespecifically, in the step S113, the CPU 34 determines whether or not thefact that the memory card 28 is an authorized card is received from theserver 102. If “NO” in the step S113, the CPU 34 determines whether ornot the fact that the memory card 28 is not an authorized card isreceived in the step S115. If “NO” in the step S115, the process returnsto the step S113.

If “YES” in the step S115, that is, if it is regarded that anunauthorized memory card 28 is attached, the download processing isended. Thus, it is possible to avoid downloading to the unauthorizedmemory card 28.

On the other hand, if “YES” in the step S113, that is, if it is assumedthat the authorized memory card 28 is attached, the CPU 34 ensures aspace area of the download area 204 and decides the block address to bewritten in a step S117. Information about which area out of the memoryarea of the flash memory 64 is used, or which area is a space area isstored in the information area 200 as header information, for example.Thus, the CPU 34 generates management data of the flash memory 64 on thebasis of the header information, ensures the space area on the basis ofthe management data, and decides the block address to be written. Thedecided block address is stored in the memory area 506. After completionof the step S117, the process proceeds to a step S119 in FIG. 21.

In the step S119 in FIG. 21, the CPU 34 issues a gCHG_DL_MODE command tothe memory card 28. The gCHG_DL_MODE command is a transition command formaking a transition to the DL secure mode. Here, the gCHG_DL_MODEcommand may be encrypted according to an algorithm of a relatively lowprocessing load such as a scramble so as to be transmitted.Succeedingly, in a step S121, the CPU 34 transmits the block addressdecided in the step S117 to the server 102.

Then, in a step S123, the CPU 34 determines whether or not the data(encrypted dsCHG_MODE command) is received from the server 102. Inresponse to the transmission in the step S121, the server 102 returnsthe data, and thus, reception of the data is waited.

If “YES” in the step S123, that is, if receiving the aforementioneddata, the CPU 34 transmits the received data (encrypted dsCHG_MODEcommand) to the memory card 28 in a step S125. Thus, the memorycontroller 62 makes a transition to the download mode.

In addition, in a step S127, the CPU 34 issues a dlRD_IF command to thememory card 28. The dlRD_IF command is a command for reading the randomnumber and the unique ID. Then, in a step S129, the CPU 34 determineswhether or not the data (encrypted random number and unique ID) isreceived from the memory card 28. In response to the dlRD_IF command,the memory controller 62 returns the encrypted random number and uniqueID, and reception of the data is waited.

If “YES” in the step S129, that is, if the aforementioned data isreceived, the CPU 34 transmits the received data (encrypted randomnumber and unique ID) to the server 102 in a step S131.

Succeedingly, in a step S133, the CPU 34 issues a dlPRT_OFF command tothe memory card 28. The dlPRT_OFF command is a command for canceling thewrite protection. After completion of the step S133, the processingproceeds to a step S135 in FIG. 22.

In the step S135 shown in FIG. 22, the CPU 34 determines whether or notdata about the amount of file data is received from the server 102. Inresponse to the data transmission in the step S131, the server 102prepares data to be downloaded (write file), and transmits the amount offile data first, and thus, reception of the amount of file data iswaited in the step S135. If “YES” in the step S135, the CPU 34 storesthe received amount of file data in the memory area 508 in a step S137.

Succeedingly, in a step S139, the CPU 34 determines whether or not data(encrypted data of 2 kbytes+8 bytes) is received from the server 102.Here, after transmitting the amount of file data, the server 102transmits the data from the write file by a predetermined size. Morespecifically, the server 102 encrypts the data obtained by adding theMIC of 8 bytes to the data of 2 kbytes and transmits the same, and thus,reception of the data is waited in the step S139.

If “YES” in the step S139, that is, if the aforementioned data isreceived, the CPU 34 transmits a page address to be written with thereceived data to the memory card 28 in a step S141. Here, the data istransmitted by a predetermined size from the server 102, and thus theCPU 34 can decide a page address where the data is to be written on thebasis of the management data of the flash memory 64, the block address,etc. every time that the data is received. In a succeeding step S143,the CPU 34 issues a dWR_PAGE command to the memory card 28. The dWR_PAGEcommand is a command for instructing the memory card 28 to write thetransmitted data in the step S141 to the designated page address.

Then, in a step S145, the CPU 34 determines whether or not the writingof the file is completed, or the writing by one block is completed. Asdescribed above, the data is transmitted by a predetermined size fromthe server 102, and thus, the CPU 34 can calculate the amount of writtendata (amount of data transmitted to the memory card 28). Accordingly,the CPU 34 can determine whether or not the amount of written datareaches the amount of file data or one block. If “NO” in the step S145,the processing returns to the step S139, and until the writing of thefile data is completed, or until the writing by one block is completed,the writing the data is repeated.

On the other hand, if “YES” in the step S145, the CPU 34 issues adlCHG_MODE command to the memory card 28 in a step S147. The dlCHG_MODEcommand is a transition command for making a transition from thedownload mode to the game mode. Then, in a step S149, the CPU 34determines whether or not writing of the file data is completed. If “NO”in the step S149, that is, if writing by one block is completed, butwriting of all the write file has not been completed, the processreturns to the step S107 in FIG. 20, and the processing from the stepS107 in the game mode is performed again for writing the rest of thedata. On the other hand, if “YES” in the step S149, the downloadprocessing is ended.

FIG. 23 to FIG. 26 show one example of an operation of the memorycontroller 62 in the download processing. Additionally, as describedabove, the download processing is started in the game mode, and thus,the processing from when the power is turned on to when the memorycontroller 62 is placed in the game mode is described as steps S201 to5205 in FIG. 23.

When starting the process, the memory controller 62 sets the mode to thegame mode in the step S201 shown in FIG. 23. In a mode memory area 300of the internal RAM 66, data indicating the game mode is stored.

Next, in the step S203, the memory controller 62 makes the download area204 and the game area 202 readable only. For example, the memorycontroller 62 generates data indicating accessibility to each area ofthe flash memory 64 in the internal RAM 66. Then, in the data, dataindicating that only reading is possible with respect to the downloadarea 204 and the game area 202 is set.

Succeedingly, in the step S205, the memory controller 62 reads the key 1and the key 3 from the information area 200 of the flash memory 64 tothe work area of the internal RAM 66 and decrypts the same, and developsthe key 1 and the key 3 in the key memory area 302.

The processing after a step S207 onward corresponds to the downloadprocessing by the memory controller 62. The memory controller 62determines whether or not the gRD_UID command is received via theconnector 60 in the step S207. If “YES” in the step S207, that is, ifthe command for reading the unique ID is received, the memory controller62 reads the unique ID from the memory area 220 of the information area200, and outputs the unique ID to the connector 60 in a step S209. Here,if the gRD_UID command is encrypted through scrambling, etc. and thentransmitted, after the received data is decrypted, it is determinedwhether or not the data is the gRD_UID command. Furthermore, the dataoutput to the connector 60 by the memory controller 62 is applied to theCPU 34 via the connector 32, etc.

If the step S209 is ended, or if “NO” in the step S207, the memorycontroller 62 determines whether or not the gRD_IF command is receivedin a step S211. Here, if the gRD_IF command is encrypted throughscrambling, after the received data is decrypted, it is determinedwhether or not the data is the gRD_IF command. If “NO” in the step S211,the process returns to the step S207.

On the other hand, if “YES” in the step S211, that is, if the commandfor reading the random number and the unique ID is received, the memorycontroller 62 encrypts the random number and the unique ID with the key1 in a step S213. Here, the memory controller 62 generates the randomnumber to the memory area 304, and the memory controller 62 furtherreads the unique ID from the memory area 220 of the information area 200to the work area. Here, the key 1 to be utilized in the encryption hasalready been developed in the memory area 302. In a succeeding stepS215, the memory controller 62 outputs the encrypted random number andunique ID.

Succeedingly, in a step S217, the memory controller 62 determineswhether or not the gCHG_DL_MODE command is received. The gCHG_DL_MODEcommand is issued from the CPU 34 in a case that it is determined thatthe memory card 28 is an authorized card in the server 102, and thus, inthe step S217, reception of the command is waited. Furthermore, if thegCHG_DL_MODE command is encrypted through scrambling, etc., after thereceived data is decrypted, it is determined whether or not the data isthe gCHG_DL_MODE command.

If “YES” in the step S217, that is, if the transition command to the DLsecure mode is received, the memory controller 62 makes a transitionfrom the game mode to the DL secure mode in a step S219. In the modememory area 300, data indicating the DL secure mode is stored.

Succeedingly, in a step S221 shown in FIG. 24, the memory controller 62reads the key 1 from the memory area 214 of the information area 200 anddecrypts the same, and develops the decrypted one in the memory area 302of the internal RAM 66. Here, in the key memory area 302, the key 1 hasalready been developed, but in order to prevent the data from beingreplaced in an accident, the key 1 is developed again in the processingin the step S221.

Furthermore, in a step S224, the memory controller 62 makes all theareas of the flash memory 64 inaccessible. For example, the memorycontroller 62 sets data indicating that access is made impossible withrespect to all the areas in the data indicating accessibility to eacharea of the flash memory 64.

Then, in a step S225, the memory controller 62 determines whether or notthe data (encrypted dsCHG_MODE command) is received. After a transitionto the DL secure mode is made, the encrypted dsCHG_MODE command istransmitted from the server 102, and thus, in the step S225, receptionof the data is waited.

If “YES” in the step S225, that is, if the data (encrypted dsCHG_MODEcommand) is received, the memory controller 62 decrypts the receiveddata with the key 1 in a step S227. The dsCHG_MODE command is encryptedby the key 1 corresponding to the unique ID of the memory card 28 in theserver 102, and thus is decrypted by using the key 1 of the memory area302.

Succeedingly, in a step S229, the memory controller 62 acquires theblock address, the unique ID and the random number from the dsCHG_MODEcommand. In the dsCHG_MODE command, the block address where thedownloaded data is to be written is designated, and the random numberand the unique ID which are previously output in the step S215 areembedded.

Then, in a step S231, the memory controller 62 determines whether or notthe acquired unique ID and random number match with the unique ID andthe random number within the memory card 28, that is, the unique IDstored in the internal RAM 66 and the random number stored in the memoryarea 304.

If “NO” in the step S231, that is, if the transition command to thedownload mode is not the authorized command, the memory controller 62makes a transition to the illegal mode in a step S233. In the modememory area 300, data indicating the illegal mode is stored. When atransition to the illegal mode is made, the memory controller 62 doesnot perform the download processing, capable of preventing unauthorizedwriting from being performed.

On the other hand, if “YES” in the step S231, that is, if the transitioncommand to the download mode is the authorized command, the memorycontroller 62 makes a transition from the DL secure mode to the downloadmode in a step S235. In the mode memory area 300, data indicating thedownload mode is stored.

Furthermore, in a step S237, the memory controller 62 makes only theblock designated by the dsCHG_MODE command accessible. For example, thememory controller 62 changes the memory map of the download area to thedesignated block only and sets the data indicating that access is madepossible with respect to only the download area to the data indicatingaccessibility to each area of the flash memory 64.

In addition, in a step S239, the memory controller 62 reads the key 2from the memory area 216 of the information area 200 and decrypts thesame, and develops the decrypted one in the memory area 302 of theinternal RAM 66 in place of the key 1. Here, before the key 2 isdeveloped, the key 1 is erased from the key memory area 302.

Succeedingly, in a step S241 in FIG. 25, the memory controller 62determines whether or not the dlRD_IF command is received. The dlRD_IFcommand is issued by the CPU 34 after the encrypted dsCHG_MODE commandis transferred, and thus, reception of the dlRD_IF command is waited inthe step S241.

If “YES” in the step S241, that is, if the command for reading therandom number and the unique ID is received, the memory controller 62encrypts the random number and the unique ID with the key 2 in a stepS243. Specifically, the memory controller 62 issues the random number tothe memory area 304, and reads the unique ID from the memory area 220 ofinformation area 200. Then, the random number and the unique ID areencrypted with the key 2 developed in the memory area 302. In a stepS245, the memory controller 62 outputs the encrypted random number andunique ID.

Succeedingly, in a step S247, the memory controller 62 determineswhether or not the dlPRT_OFF command is received. The CPU 34 transfersthe encrypted random number and unique ID which are output in the stepS245 to the server 102, and issues the dlPRT_OFF command, and thus,reception of the command is waited in a step S247.

If “YES” in the step S247, that is, if the command for cancelling thewrite protection is received, the memory controller 62 turns off thewrite protection with respect to the download area 204 of the flashmemory 64 in a step S249. More specifically, the memory controller 62turns off the flag indicating the write protection stored in the memoryarea 306 of the internal RAM 66.

Succeedingly, in a step S251, the memory controller 62 determineswhether or not the data (encrypted 2 kbyte+8 byte data) is received. Thedata is download data transmitted from the server 102. Furthermore, inthe reception data, a page address to be written is added by the CPU 34of the game apparatus 10.

If “YES” in the step S251, the memory controller 62 stores the receiveddata and the page address in the work area of the internal RAM 66 in astep S253. On the other hand, if “NO” in the step S251, the processproceeds to a step S269 shown in FIG. 26.

Succeedingly, in a step S255, the memory controller 62 determineswhether or not the dWR_PAGE command is received. As the dWR_PAGE commandis issued by the CPU 34 of the game apparatus 10 after transfer of thedownload data, receiving the dWR_PAGE command is waited in the stepS255.

If “YES” in the step S255, that is, if the writing command is received,the process proceeds to a step S257 shown in FIG. 26. In the step S257,the memory controller 62 determines whether or not the write protectionof the memory area 306 is turned off.

If “YES” in the step S257, that is, if the downloaded data is allowed tobe written, the memory controller 62 decrypts the received data(encrypted 2 kbyte+8 byte data) with the key 2 in a step S259. Here, thereceived data is encrypted by the key 2 corresponding to the unique IDof the memory card 28 in the server 102. By the decryption, it ispossible to acquire the data of 2 kbytes to be downloaded and the MIC of8 bytes.

Succeedingly, in a step S261, the memory controller 62 calculates theMIC of 8 bytes with respect to the decrypted data of 2 kbytes with thekey 3. Here, when the MIC is calculated, the unique ID and the randomnumber which are stored in the internal RAM 66 are used as initialvalues. Furthermore, the key 3 for calculation is constructed by thepart of the key 2 (common part) stored in the memory area 302 and thekey 3.

Then, in a step S263, the memory controller 62 determines whether or notthe calculated MIC matches with the decrypted MIC. If “NO” in the stepS263, that is, if the downloaded data is identified as unauthorizeddata, the process proceeds to a step S265. In the step S265, the memorycontroller 62 does not execute writing. Thus, it is possible to preventthe unauthorized data from being written to the download area 204. Aftercompletion of the step S265, the download processing is ended.

On the other hand, if “YES” in the step S263, that is, if the downloadeddata is authorized data, the memory controller 62 writes the decrypteddata of 2 kbytes in the designated page in a step S267.

Succeedingly, in a step S269, the memory controller 62 determineswhether or not the dlCHG_MODE command is received. The dlCHG_MODEcommand is issued by the CPU 34 when writing of the file is completed orwriting by one block is completed. If “NO” in the step S269, the processreturns to the step S251 in FIG. 25. Accordingly, until the writing ofthe file is completed, or until the writing by one block is completed,writing the downloaded data of the predetermined size (2 kbytes) to thedownload area 204 is repeated.

On the other hand, if “YES” in the step S269, that is, if a transitioncommand to the game mode is received, the memory controller 62 makes atransition from the download mode to the game mode in a step S271. Inthe mode memory area 300, data indicating the game mode is stored.Furthermore, in a step S273, the memory controller 62 makes the downloadarea 204 and the game area 202 readable only similar to the step S203.Here, the memory map of the download area is changed to the designatedblock, and thus, the download area 204 is returned to the originalcondition on the basis of the boundary data (start address) of each areadefined in the information area 200, and the data indicating that accessis made possible with respect to only the download area is set.

In addition, in a step S275, the memory controller 62 decrypts the key 1read from the memory area 214 of the information area 200 and developsthe same in the key memory area 302 of the internal RAM 66 in place ofthe key 2. When the step S275 is ended, the process returns to the stepS207. In a case that writing of the file to be downloaded is notcompleted, the download processing is executed from the game mode againto perform writing of the rest of the data.

FIG. 27 to FIG. 29 show one example of an operation of the server 102 inthe download processing. When starting the download processing, the CPUof the server 102 determines whether or not the unique ID and the gameID are received in a step S301. In the download processing, the uniqueID of the memory card 28 and the game ID are first transmitted from thegame apparatus 10 via the network 106, and thus, reception of them arewaited in the step S301.

If “YES” in the step S301, the CPU of the server 102 stores the receivedunique ID and game ID in the memory area 404 and the memory area 406 ofthe RAM, respectively, in a step S303.

Succeedingly, in a step S305, the CPU of the server 102 determineswhether or not data (encrypted random number and unique ID) is received.The aforementioned data is transmitted from the game apparatus 10 forauthenticating the memory card 28 after first transmission of the uniqueID, and thus, reception is waited in the step S305.

If “YES” in the step S305, the CPU of the server 102 decrypts thereceived data (encrypted random number and unique ID) with the key 1corresponding to the unique ID in a step S307. More specifically, sincethe received data is encrypted with the key 1 by the memory controller62 of the memory card 28, the CPU reads the keys 1, 2 and 3corresponding to the first received unique ID of the memory area 404,and stores them in the memory area 408. Then, the received data isdecrypted with the key 1. Thus, it is possible to acquire the randomnumber and the unique ID, and store the acquired random number andunique ID in the memory area 410.

Then, in a step S309, the CPU of the server 102 determines whether ornot the decrypted unique ID stored in the memory area 410 matches withthe first unique ID stored in the memory area 404.

If “YES” in the step S309, that is, if the memory card 28 is identifiedas an authorized card, the CPU of the server 102 transmits the dataindicating that the memory card 28 is the authorized card to the gameapparatus 10 via the network 106 in a step S311. After completion of thestep S311, the process proceeds to a step S315 in FIG. 28.

On the other hand, If “NO” in the step S309, that is, if the memory card28 is not identified as an authorized card, the CPU of the server 102transmits the data indicating that the memory card 28 is not theauthorized card to the game apparatus 10 in a step S313. Then, thedownload processing is ended.

In the step S315 shown in FIG. 28, the CPU of the server 102 determineswhether or not the block address is received. In response to thetransmission in the step S311, the block address is transmitted from thegame apparatus 10, and thus, the reception is waited in the step S315.

If “YES” in the step S315, the CPU of the server 102 stores the receivedblock address in the memory area 412 in a step S317. Succeedingly, in astep S319, the CPU of the server 102 generates a dsCHG_MODE command byusing the block address, the unique ID, and the random number. ThedsCHG_MODE command is a transition command form making a transition tothe download mode. In the dsCHG_MODE command, the block address isdesignated, and in the download mode, writing to the designated blockaddress is made possible. Furthermore, in the dsCHG_MODE command, therandom number and the unique ID of the memory area 410 are included.

Furthermore, in a step S321, the CPU of the server 102 encrypts thegenerated dsCHG_MODE command with the key 1 corresponding to the uniqueID. Then, in a step S323, the CPU of the server 102 transmits theencrypted dsCHG_MODE command to the game apparatus 10.

Succeedingly, in a step S325, the CPU of the server 102 determineswhether or not the data (encrypted random number and unique ID) isreceived from the game apparatus 10. When making a transition to thedownload mode, the memory controller 62 encrypts the random number andthe unique ID with the key 2 and transmits the same to the server 102,and thus, the reception is waited in the step S325.

If “YES” in the step S325, that is, if the aforementioned data(encrypted random number and unique ID) is received, the CPU of theserver 102 decrypts the received data (encrypted random number andunique ID) with the key 2 corresponding to the unique ID in a step S327.Thus, the random number and unique ID which are thus acquired are storedin the memory area 410. After completion of the step S327, the processproceeds to a step S329 in FIG. 29.

In the step S329 shown in FIG. 29, the CPU of the server 102 prepares awrite file. More specifically, predetermined data is read from the datato be downloaded stored in the database, and stored in the memory area414 of the RAM. The write file may be a file corresponding to the uniqueID, a file corresponding to the game ID, or a predetermined fileindependent of the unique ID and the game ID, for example. In a stepS331, the CPU of the server 102 transmits the file data amount of thewrite file to the game apparatus 10.

Succeedingly, in a step S333, the CPU of the server 102 fetches data ofa predetermined size (2 kbytes in this embodiment) from the write file.The data of the write file is transmitted separately by thepredetermined size.

In a step S335, the CPU of the server 102 calculates the MIC of 8 byteswith respect to the data of 2 kbytes with the key 3 corresponding to theunique ID. Here, as initial values for calculation of the MIC, therandom number and the unique ID in the memory area 410 are used. In asucceeding step S337, the CPU of the server 102 adds the MIC of 8 bytesto the data of 2 kbytes. Then, in a step S339, the CPU of the server 102encrypts the data of 2 kbytes+8 bytes with the key 2 corresponding tothe unique ID. Here, as initial values for encryption, the unique ID andthe random number of the memory area 410 are used. In a step S341, theCPU of the server 102 transmits the encrypted data of 2 kbytes+8 bytesto the game apparatus 10.

In a succeeding step S343, the CPU of the server 102 determines whetheror not the file transmission is completed, or the transmission by oneblock is completed. Whether or not the file transmission is completedcan be determined on the basis of the data amount of the write file andthe cumulative amount of the data transmission. If “NO” in the stepS343, that is, if the transmission by one block is not completed, or ifthe file transmission is not completed, the process returns to the stepS333 to repeat the processing for transmitting the data of thepredetermined size.

On the other hand, if “YES” in the step S343, the CPU of the server 102determines whether or not the file transmission is completed in a stepS345. If “NO” in the step S345, that is, if the data transmission inblocks is completed, but the transmission of all data of the write fileis not completed, the process returns to the step S305 in FIG. 27. Byrepeating the processing from the download processing when the memorycontroller 62 in the game mode, writing of the data in the file to anext block is performed. On the other hand, if “YES” in the step S345,the writing of the data in the file is completed, so that the downloadprocessing is ended.

An operation of the backup processing by the game apparatus 10 as asecurity system with respect to the backup area is explained withreference to the flowcharts shown in FIG. 30 to FIG. 33.

FIG. 30 shows one example of an operation of the game apparatus 10 inthe backup writing processing. When writing to the backup area 206 isstarted, the CPU 34 prepares the data to be written in the RAM 42 in astep S401. The data to be written is backup data generated by the CPU 34in the game processing, and stored in the memory area 510.

Next, in a step S403, the CPU 34 adds parity to the data to be written.As shown in FIG. 15, in this embodiment, data with parity is generatedin a format in which each byte data is constructed of “data of sevenbits”+a “parity bit (one bit)”. That is, the first seven bits in eachbyte is the generated backup data, and the parity of the first 7 bits isadded to the last bit. The generated data with parity is stored in thememory area 512.

Succeedingly, in a step S405, the CPU 34 confirms a space area of thebackup area 206, and decides a block address to be written. Here,information about which area is used or about which area is a space areaout of the memory area of the flash memory 64 is stored in theinformation area 200 as header information, for example, and thus, theCPU 34 generates management data of the flash memory 64 on the basis ofthe header information, ensures the space area in the backup area 206based on the management data, and decides a block address to be written.The decided block address is stored in the memory area 514.

Then, in a step S407, the CPU 34 issues a gCHG_BK_MODE command to thememory card 28. The gCHG_BK_MODE command is a transition command formaking a transition to the backup mode. In the transition command, theblock address to be written is designated. Here, the memory controller62 makes a transition to the backup mode in response to the transitioncommand, and makes only the designated block readable out of the backuparea 206.

In a succeeding step S409, the CPU 34 issues to the memory card 28 awrite command for writing the data with parity. The write commandincludes the data with parity to be written. Similar to theabove-described writing to the download area 204, data of apredetermined size is added to the write command such that the data iswritten by the predetermined size. In response to the write command, thememory controller 62 writes the data to the designated block of thebackup area 206.

Then, in a step S411, the CPU 34 determines whether or not writing ofall the prepared data is completed, or writing of the data by one blockis completed. Here, whether or not writing of the prepared data (datawith parity) is completed can be determined on the basis of the dataamount of data with parity stored in the memory area 512 and thecumulative amount of data by the write command. If “NO” in the stepS411, the process returns to the step S409 to repeat the writing by thewrite command.

On the other hand, if “YES” in the step S411, the CPU 34 issues abCHG_MODE command to the memory card 28 in a step S413. The bCHG_MODEcommand is a transition command for making a transition from the backupmode to the game mode. Here, in response to the transition command, thememory controller 62 makes a transition to the game mode.

Then, in a step S415, the CPU 34 determines whether or not writing ofall prepared data (data with parity) is completed. If “NO” in the stepS45, that is, if writing data by one block is completed, but there isdata with parity on which writing is not performed, the process returnsto the step S405 to execute processing for writing as to the next block.On the other hand, if “YES” in the step S415, the backup writingprocessing is ended.

FIG. 31 shows one example of an operation of the game apparatus 10 inthe backup reading processing. When reading processing from the backuparea 206 is started, the CPU 34 confirms a storing location of thebackup data to be read in a step S501. Here, the backup data to be readis selected according to an operation by the user or a program, etc. Theinformation in relation to a storing place of each backup data isincluded in the header information of the flash memory 64, for example.

Next, in a step S503, the CPU 34 decides a block address to be read. Theblock address to be read is decided from the storing location of thebackup data to be read, and stored in the memory area 516.

Succeedingly, in a step S505, the CPU 34 issues a gCHG_BK_MODE commandto the memory card 28. The gCHG_BK_MODE command is a transition commandfor making a transition to the backup mode. In the transition command,the block address to be read which is decided in the step S503 isdesignated. In response to the transition command, the memory controller62 makes a transition to the backup mode in which only the designatedblock is made accessible.

In a step S507, the CPU 34 designates a page address to be read andissues a read command to the memory card 28. The read command is acommand for instructing the memory card 28 to read the data. Forexample, it is possible to instruct the memory card 28 to read the dataon the designated page. Here, in response to the read command, thememory controller 62 reads the data on the designated page from thebackup area 206. Then, if the read data is the authorized data, the datais output to the CPU 34.

In a step S509, the CPU 34 determines whether or not the data isreceived from the memory card 28. As described above, if the read datais the authorized one, the data is output, and thus, in the step S509,the reception is waited. Here, in a case that the read data by thememory controller 62 is the unauthorized one, a transition to theillegal mode is made to thereby output no data, and the backup readingprocessing is not operated normally.

If “YES” in the step S509, the CPU 34 stores the received data, that is,the read data in the memory area 518 of the RAM 42 in a step S511. Then,in a step S513, the CPU 34 determines whether all data to be read isread, or reading by one block is completed. Here, whether or not alldata to be read is read can be determined on the basis of a data amountof the data to be read and a cumulative amount of the read data by theread command. If “NO” in the step S513, the process returns to the stepS507 to repeat the reading processing by the read command.

On the other hand, if “YES” in the step S513, the CPU 34 issues abCHG_MODE command to the memory card 28 in a step S515. The bCHG_MODEcommand is a transition command for making a transition to the gamemode. In response to the transition command, the memory controller 62makes a transition to the game mode.

Then, in a step S517, the CPU 34 determines whether or not all data tobe read is read. If “NO” in the step S517, that is, if reading by oneblock is completed, but there is data to be read, the process returns tothe step S503 to execute processing to read a next block. On the otherhand, if “YES” in the step S517, the backup reading processing is ended.

FIG. 32 and FIG. 33 show one example of an operation of the memorycontroller 62 in the backup processing. In a step S601 in FIG. 32, thememory controller 62 determines whether or not a gCHG_BK_MODE command isreceived. The gCHG_BK_MODE command is a transition command to the backupmode. If “NO” in the step S601, the backup processing is ended.

On the other hand, if “YES” in the step S601, the memory controller 62makes a transition from the game mode to the backup mode in a step S603.In the mode memory area 300 of the internal RAM 66, data indicating thebackup mode is stored. In a succeeding step S605, the memory controller62 makes only the block designated by the gCHG_BK_MODE command out ofthe backup area 206 accessible. For example, the memory controller 62stores the data indicating accessibility to each area of the flashmemory 64 in the internal RAM 66, changes in the data the memory map ofthe download area to the designated block only, and sets the dataindicating that access is made possible with respect to only the backuparea.

Then, the memory controller 62 executes processing corresponding to thecommand received in the backup mode. That is, in a step S607, the memorycontroller 62 determines whether or not the write command is received.If “YES” in the step S607, the memory controller 62 writes the receiveddata together with the write command in the block of the backup area 206designated by the transition command in a step S609.

If the step S609 is ended, or if “NO” in the step S607, the memorycontroller 62 determines whether or not the bCHG_MODE command isreceived in a step S611. If “YES” in the step S611, that is, if thetransition command to the game mode is received, the memory controller62 makes a transition from the backup mode to the game mode in a stepS613. In the mode memory area 300, data indicating the game mode isstored. Succeedingly, in a step S615, the memory controller 62 makes thebackup area 206 inaccessible. For example, in the data indicatingaccessibility to each area of the flash memory 64, data indicating thatthe memory map of the backup area is returned to the original, and anaccess to the backup area 206 is made impossible is set. Aftercompletion of the step S615, the backup processing is ended.

On the other hand, if “NO” in the step S611, in a step S617 in FIG. 33,the memory controller 62 determines whether or not the read command isreceived. If “YES” in the step S617, the memory controller 62 determineswhether or not the page designated by the read command is in theaccessible block in a step S619. The accessible block is a block withinthe backup area 206 designated by the transition command to the backupmode. By the determination, it is possible to perform a parity checkwith respect to only the data on which a reading designation is properlyperformed, capable of eliminating an unauthorized reading command.

If “YES” in the step S619, the memory controller 62 checks the parity inthe page designated by the read command in a step S621. Morespecifically, the memory controller 62 reads the designated page data inthe work area of the internal RAM 66, calculates parity of the first 7bits of each byte, and compares the calculation result with the last bitof each byte.

Then, in a step S623, the memory controller 62 determines whether or notthe result of the parity check is correct. If “YES” in the step S623,that is, if the calculated parity bit and the last bit are equal to eachother with respect to all the bytes, the memory controller 62 outputsthe data in the designated page to the CPU 34 in a step S625.

On the other hand, if “NO” in the step S623, that is, if any byte forwhich the calculated parity bit and the last bit are not equal to eachother is detected, the data to be read is identified as unauthorizeddata, and the memory controller 62 makes a transition to the illegalmode in a step S627. In the mode memory area 300, data indicating theillegal mode is stored. When a transition to the illegal mode is made,the memory controller 62 does not output the read data. Accordingly, itis possible to prevent the unauthorized data from being read andutilized.

Additionally, if “NO” in the step S617, if “NO” in the step S619, or ifthe step S625 is ended, the process returns to the step S607 in FIG. 32.

In the above-described embodiment, the download area 204 is provided tothe flash memory 64 of the memory card 28 detachable to the gameapparatus 10, but in another embodiment, the flash memory 64 iscontained in the housing 16 of the game apparatus 10, and within theflash memory 64, the download area 204 may be provided. In this case,the memory controller 62 is also contained in the housing 16.Furthermore, the backup area 206 may be also provided in the flashmemory 64 inside the housing 16 of the game apparatus 10. Here, in acase that the flash memory 64 is contained in the housing 16 of the gameapparatus 10, the unique ID may be identification information of thegame apparatus 10.

In each of the above-described embodiments, for making encryption foreach memory card 28, the keys 1, 2 and 3 corresponding to the unique IDof the memory card 28 are prepared, and stored in the flash memory 64and the server 12 in advance. However, in another embodiment, encryptionmay be made for each game title (game program) or each kind of theapplication (application program), and in such a case, keys 1, 2 and 3corresponding to the game ID (application ID) are prepared and stored inthe flash memory 64 and the server 12 in advance. Then, at a time ofencryption or decryption, keys corresponding to the game ID are used.

Furthermore, in each of the above-described embodiment, two writingareas, such as the download area 204 and the backup area 206 areprovided to the flash memory 64, and one of the download area 204 isprotected stepwise by the mode transition and the encryption of thewrite data, and the other of the backup area 206 is protected by theformat of the write data. However, in another embodiment, any one of thewriting area only may be provided in the flash memory 64.

Although the present invention has been described and illustrated indetail, it is clearly understood that the same is by way of illustrationand example only and is not to be taken by way of limitation, the spiritand scope of the present invention being limited only by the terms ofthe appended claims.

1. A writing area security system including a storage having apredetermined writing area, a controller controlling writing to andreading from said storage, and a host to be connected to saidcontroller, wherein said host includes an instruction transmitter whichtransmits a reading instruction of data stored in said predeterminedwriting area to said controller, and said controller includes a formatdeterminer which determines whether or not the data read from saidpredetermined writing area in response to said reading instruction is ina predetermined format, and an outputter which outputs said data to saidhost only when said format determiner determines that said data is insaid predetermined format.
 2. A writing area security system accordingto claim 1, wherein said storage has a first area and a second area,said controller further includes a first writer which writes data tosaid first area in a writable mode to which a transition is made inresponse to a first transition command, and said format determinerdetermines only with respect to the data read from said second area assaid predetermined writing area whether or not said data is in thepredetermined format.
 3. A writing area security system according toclaim 1, wherein said controller further includes an address determinerwhich determines whether or not a reading address designated from saidhost is within an accessible area out of said predetermined writingarea, and when said address determiner determines that said readingaddress is within said area, said format determiner determines whetheror not the read data is in the predetermined format.
 4. A writing areasecurity system according to claim 1, wherein said format determinermakes a determination by a parity check of said read data.
 5. A writingarea security system according to claim 1, wherein said controller makesa transition to an illegal mode when said format determiner determinesthat said read data is not in said predetermined format.
 6. A writingarea security system according to claim 1, wherein said host includes awriting data generator which generates data to which a parity bit isadded, and said controller includes a second writer which writes thedata generated by said writing data generator in said predeterminedwriting area.
 7. A writing area security system according to claim 2,wherein said storage stores boundary data between said first area andsaid second area.
 8. A writing area security system according to claim2, wherein a server and an information processing apparatus fordownloading data from said server are included, said informationprocessing apparatus includes said storage, said controller, and saidhost, said server includes a transition command transmitter whichtransmits to said information processing apparatus said first transitioncommand to cause said controller to make a transition to a writable modeto said first area of said storage, and a data transmitter whichtransmits data to be downloaded to said information processingapparatus.
 9. A writing area security system according to claim 8,wherein said server further includes an encrypter which encrypts saidfirst transition command, said transition command transmitter transmitssaid first transition command encrypted by said encrypter, and saidcontroller further includes a decrypter which decrypts the encryptedfirst transition command.
 10. A writing area security system accordingto claim 8, wherein said first transition command includes an addressdesignated for writing said data to be downloaded, and said controllerfurther includes a write enabler which makes only said designatedaddress writable out of said first area when a transition is made tosaid writable mode as to said first area in response to said firsttransition command.
 11. A writing area security system according toclaim 10, wherein said write enabler makes a fixed range from saiddesignated address out of said first area writable.
 12. A writing areasecurity system according to claim 9, wherein said controller decryptsthe encrypted first transition command by said decrypter in a securemode being higher in a degree of security than usual to which atransition has been made direct before said writable mode as to saidfirst area.
 13. A writing area security system according to claim 9,wherein said server stores a first key for encrypting said firsttransition command, and a second key different from said first key forencrypting said data to be downloaded, said encrypter encrypts saidfirst transition command by utilizing said first key, said datatransmitter transmits the data to be downloaded encrypted by utilizingsaid second key, said storage stores said first key and said second key,said decrypter decrypts means decrypts the encrypted first transitioncommand by utilizing said first key, and said first writer decrypts saidencrypted data to be downloaded by utilizing said second key in thewritable mode to said first area and writes the same to said first area.14. A writing area security system according to claim 13, wherein saidserver further stores a third key for message digest authentication ofsaid data to be downloaded, said data transmitter encrypts, by utilizingsaid second key, said data to be downloaded to which an authenticationsymbol generated by utilizing said third key is added, and transmits theencrypted data, said storage further stores said third key, saidcontroller decrypts the encrypted data by utilizing said second key insaid writable mode as to said first area, and said first writer, whenthe decrypted data is authenticated by utilizing said third key, writessaid data in said first area.
 15. A writing area security systemaccording to claim 14, wherein said third key is a key obtained by apart of said second key being replaced.
 16. A writing area securitysystem according to claim 12, wherein said storage stores the encryptedfirst key and second key, and said controller decrypts the encryptedfirst key and develops the same in a RAM when a transition to saidsecure mode is made, and decrypts the encrypted second key and developsthe same in said RAM when a transition to said writable mode to saidfirst area is made.
 17. A writing area security system according toclaim 16, wherein said controller develops said first key in response toa second transition command for making a transition to said secure mode,and develops said second key in response to said first transitioncommand.
 18. A writing area security system according to claim 8,wherein said host further includes a normal encrypter which performs anencryption according to an algorithm of a relatively low processing loadon the command issued with respect to said in a normal mode.
 19. Awriting area security system according to claim 8, wherein said hostfurther includes a write command issure which issues a writing commandto instruct said controller to perform writing, and said controllerwrites said data to be downloaded to said first area in response to saidwriting command in said writable mode to said first area.
 20. A writingarea security system according to claim 9, wherein said storage storesidentification information of said storage, said information processingapparatus includes an identification information transmitter whichtransmits said identification information stored in said storage to saidserver, said server stores a plurality of first keys for encrypting saidfirst transition command, each of which is brought into correspondencewith a respective one of said plurality of identification information,and said encrypter encrypts said first transition command by utilizingsaid first key corresponding to the identification information of saidstorage.
 21. A writing area security system according to claim 9,wherein said storage stores identification information of an applicationprogram stored in said storage, said information processing apparatusincludes an identification information transmitter which transmits saididentification information stored in said storage to said server, saidserver stores a plurality of first keys for encrypting said firsttransition command, each of which is brought into correspondence with arespective one of said plurality of identification information, and saidencrypter encrypts said first transition command by utilizing said firstkey corresponding to the received identification information of theapplication program.
 22. A writing area security system according toclaim 1, wherein said storage and said controller are provided to adetachable storage medium.
 23. A memory controller utilized in a writingarea security system including a storage having a predetermined writingarea and a host, and controlling writing to and reading from saidstorage, comprising: a format determiner which determines whether or notdata read from said predetermined writing area in response to a readinginstruction from said host is in a predetermined format, and anoutputter which outputs said data to said host only when said formatdeterminer determines that said data is in said predetermined format.24. A security method in a writing area security system including astorage having a predetermined writing area, a controller which controlswriting to and reading from said storage, and a host to be connected tosaid controller, including steps of: a step of determining whether ornot data read from said predetermined writing area in response to areading instruction from said host by said controller is in apredetermined format, and a step of outputting said data to said host bysaid controller only when it is determined that said data is in thepredetermined format.